neconyd | 6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe
Size

64KB
MD5

890017cc214815888bd06f01d6ea9ba9
SHA1

980b4f308aef43b85a005a490bacfb4eafddb2ac
SHA256

6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd
SHA512

2a121698c866435f0151ae602d38cb1e6926a3e599a486c4076217a9593ec25f318cdeb3e385fb2aea877461e452c734e5ca711aab96816f4ee362b8dbed281b
SSDEEP

768:oMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAV:obIvYvZEyFKF6N4yS+AQmZcl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3080	omsecor.exe
2296	omsecor.exe
2856	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 3080	1352	6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe	82
PID 1352 wrote to memory of 3080	1352	6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe	82
PID 1352 wrote to memory of 3080	1352	6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe	82
PID 3080 wrote to memory of 2296	3080	omsecor.exe	92
PID 3080 wrote to memory of 2296	3080	omsecor.exe	92
PID 3080 wrote to memory of 2296	3080	omsecor.exe	92
PID 2296 wrote to memory of 2856	2296	omsecor.exe	93
PID 2296 wrote to memory of 2856	2296	omsecor.exe	93
PID 2296 wrote to memory of 2856	2296	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe
"C:\Users\Admin\AppData\Local\Temp\6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
9364a40949ba2d9eb275e785c84b05f5

SHA1
7cabc77776c4779b45edc2de4510d4f429e7bce5

SHA256
6e392d86641ba46234bf8ac3826bf94536da3ae9aff57807d6d444cb9023105a

SHA512
ec8a775a26df812aed6e70cba9aa77517aaa2aa842337112d1a7f84304eb6d0c488ebded585359877c90746c978761358160109f32f9a6a8e081003b42847053

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
5257ecdadc200cdb5db3f316b063f7d6

SHA1
948df0b3e21e704e91b2284f49c398d86212f1f4

SHA256
e1a4e85cf19eb4f4aeae42209e679c4ea79b8080041a39010742a4c90782e77a

SHA512
81096b9e7fa942910d385a0426b113ddf1c62f51854ae4b2bbe9c84afd5a7d5b3072f8af8984dd7a9b1ccc6e6baa99365fadb4b334d91ba1a87bc686527d9f5b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
c2eb4d31f6f29e3eb80a7f6a6258f86f

SHA1
bb97f76235802726fb469cf70a9bb3cdd446dfa7

SHA256
f78205654cc2fcdc7ad1fa9836699722785c0b2016a7b284dd305c7881634e9b

SHA512
298f29f3e168f25b9e4c0bb609c419e6bddc2854c938fdf232c3d162ceec931393e7d9cb394cebeb0d7ac951232bc4d4ea33eabac5f26104c919b08ddbd95e63

Download Submit