neconyd | cd9cf703a85203174085df18bdebffb31c34f43430a529d0f1e8ecee1d667df7

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd9cf703a85203174085df18bdebffb31c34f43430a529d0f1e8ecee1d667df7.exe
Size

71KB
MD5

104baa331a54a4cbb1a63f148fe1d027
SHA1

d878c66498e2714e53f81eab13537fc1d4e2bc3d
SHA256

cd9cf703a85203174085df18bdebffb31c34f43430a529d0f1e8ecee1d667df7
SHA512

29f0aa29ce067e854c1d9f0b4b29014f886a2dac8e4b5843f66e44a02fcdff256f638c956ca1e2e4ad939b0fe781c73c1899a2148b27e43987f4b8871b067a16
SSDEEP

1536:xd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHv:BdseIOMEZEyFjEOFqTiQmQDHIbHv

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2360	omsecor.exe
3968	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd9cf703a85203174085df18bdebffb31c34f43430a529d0f1e8ecee1d667df7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 2360	5020	cd9cf703a85203174085df18bdebffb31c34f43430a529d0f1e8ecee1d667df7.exe	83
PID 5020 wrote to memory of 2360	5020	cd9cf703a85203174085df18bdebffb31c34f43430a529d0f1e8ecee1d667df7.exe	83
PID 5020 wrote to memory of 2360	5020	cd9cf703a85203174085df18bdebffb31c34f43430a529d0f1e8ecee1d667df7.exe	83
PID 2360 wrote to memory of 3968	2360	omsecor.exe	100
PID 2360 wrote to memory of 3968	2360	omsecor.exe	100
PID 2360 wrote to memory of 3968	2360	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\cd9cf703a85203174085df18bdebffb31c34f43430a529d0f1e8ecee1d667df7.exe
"C:\Users\Admin\AppData\Local\Temp\cd9cf703a85203174085df18bdebffb31c34f43430a529d0f1e8ecee1d667df7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
eec046076e884150ccf33537c75c9b04

SHA1
2a39c7d0aea32edaa405592dab1961f3e7fb83d2

SHA256
0953cccc78358565df6d5f1867f76059e22c3d8692eb484c89bef7286b842dac

SHA512
590fcf657d181ad0427af6f10bf6f9d07edca992b6ae44b0ad7901baa2c5e9f9bcc47f3582b8476ec12a0e15512b33d5262a47a4d97e811906be717fa9e12c5c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
1579dd00fdfd1df238ee3d25c8e6b181

SHA1
5ef62fb3ccd3d015682a62dd1881d9ed136dd17a

SHA256
5e9b73c8751ed557f38462f1e0fa8f1dacdf0f245e9258597500095982f9166c

SHA512
c89271b0ca9b579f4fa78156b2a4d287002a8fba1a3193edd7e4c960299108d8e83a4106ac2d881243af200c67bd44db1d9ba28e2d8040ce257bd635c6df97a9

Download Submit
memory/2360-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3968-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3968-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5020-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5020-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download