neconyd | 781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbed

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe
Size

65KB
MD5

21c540f78bdf821f2f1af733520c7ac0
SHA1

dad78580707815d02ef375d7e6645d13d388aaed
SHA256

781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbed
SHA512

dbcf9d5589010e6b9d7bfab28fcf4b4af413f6a31cd8e0e818751685cbd8e539b9eb9ea95df1e0052cd5e973cfaabfb33418b5b36393a51e2588ac347853b030
SSDEEP

1536:hd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:RdseIO+EZEyFjEOFqTiQmRHzl

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3616	omsecor.exe
452	omsecor.exe
5064	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 3616	4624	781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe	82
PID 4624 wrote to memory of 3616	4624	781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe	82
PID 4624 wrote to memory of 3616	4624	781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe	82
PID 3616 wrote to memory of 452	3616	omsecor.exe	92
PID 3616 wrote to memory of 452	3616	omsecor.exe	92
PID 3616 wrote to memory of 452	3616	omsecor.exe	92
PID 452 wrote to memory of 5064	452	omsecor.exe	93
PID 452 wrote to memory of 5064	452	omsecor.exe	93
PID 452 wrote to memory of 5064	452	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe
"C:\Users\Admin\AppData\Local\Temp\781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
6ed9634e98c84e8883d35059f94189e8

SHA1
4d3ae5e25207a3d73b555076d79cf5f57b42d7f2

SHA256
20a88462aadd8ff6764d78e7bbef962dc9fd738877966dd45fc9fd0a95ff5a21

SHA512
4b15648dd6296db21983d694206f2cac3d4decb2c626218a6ec8cd00ebb19ba67823ea2faaa9a00a69f1b157776b7f1e3cabfcdabf23cd7dd2bc441cc6fcaf02

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
38774e4d6c0db08725122be4fd407463

SHA1
9e8908bd43e73b1d0be87fcedd77e368d581cc11

SHA256
258fc8cf69a98d349712430d29b532f46898748419940acab9c6504fbfafe17c

SHA512
7d04cdf63e280a0d6f5c6843e4de1981bd537c4bcac246290ce8ba70ecb6b6e228ba03cb3f78b0f63ab7aa8cb016355f42612666415c7a9b74e879795f0d1be1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
087973fe5ea803e957fcaeffba4da7f6

SHA1
30f808084a8709946daea5f61f05c481fa3648cb

SHA256
babf9fcfc77ea5e4a402d9544da201b5dbfd4ddd1439da3a9c95113ea15a0f4f

SHA512
ab7c8cf1f6ddf232ec29f3e55b61a60d9db0a347eccbe129ac8f2693b25c06bc6d9dfd6907a0c7fbf123836909adeb6697624c3f4d64eb583bb4ec9f26442962

Download Submit
memory/452-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/452-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3616-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3616-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3616-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4624-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4624-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download