neconyd | 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe
Size

72KB
MD5

63c3eac87a43e1045b78d95d7ec1d2ba
SHA1

a7b9d2f39670f3a035484c521487d15d765de400
SHA256

2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342
SHA512

a5b435c60876ee7d87d1efe719b3d3dab4befa82ab35c899a5730a369ac97ddb7a0709502ce7279f1c2d19eb87b6bb1634631869a5ae8a525d61e78e05f34787
SSDEEP

1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211H:bdseIOMEZEyFjEOFqTiQm5l/5211H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4860	omsecor.exe
4716	omsecor.exe
3556	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 4860	3448	2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe	83
PID 3448 wrote to memory of 4860	3448	2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe	83
PID 3448 wrote to memory of 4860	3448	2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe	83
PID 4860 wrote to memory of 4716	4860	omsecor.exe	100
PID 4860 wrote to memory of 4716	4860	omsecor.exe	100
PID 4860 wrote to memory of 4716	4860	omsecor.exe	100
PID 4716 wrote to memory of 3556	4716	omsecor.exe	101
PID 4716 wrote to memory of 3556	4716	omsecor.exe	101
PID 4716 wrote to memory of 3556	4716	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe
"C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
3f269fa4d5d90c8f37a8e152ece69c59

SHA1
196425102d7ad5d743c11116fefcb3d139879fd6

SHA256
0cd370055655e03494351880ef886838f1b7885d7af4665a7afc0096c3dc6c62

SHA512
88f986660c8677f82cb292e06e5278fec15243b118e22584e4502f2ee8d2bdbfdc5f8eb661eff9c222f631b97097cf632bdd098094741d14ba04389dccb5b49a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
7aa684bca2f474d1490c016504595726

SHA1
8f7390d9883ea1793c3ea05ef3637bb5de55c868

SHA256
57b4bf966900d8f0f3a71c070da4ae4eb65588d2c6757b6e74ab5c91febb0acd

SHA512
b3035ecaa111e1d1fa4111f3f43f4b30e0d19b184236f6a321ff654f61e561d939911e90e436c043458e208d76ece71cec608081010412758bfeaa114802751a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
b314b1e5eddcd5e02a888dfecae5a927

SHA1
e9c63edfb8a34c4c5e4fd362110dd74af1ebe043

SHA256
6acf113513646bda63d5470a7a48df44d972c0e2e4c8c9398aaed1a9b8afd88f

SHA512
aac2a40fbf4ee13aae7bd0ac94a90c7eba01908ac777f30b07c9a66a74e817022dfbe30ac7275827deb02ce8a54a8db66e5d42cfe8d738cd4dff41f208503a50

Download Submit