neconyd | 7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe
Size

80KB
MD5

7f92312b3e3885e89af5a29c29a87131
SHA1

390526f25d1c74e41b0b0282587764e6d08fc42c
SHA256

7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d
SHA512

620bcc7e564df898a5f605d31bd71db1c13c3d07a1f4bf5fe3a1b440cdea1b5e6d5b823535f9a474cc801b2d63cfdcf2709a6893615f522f2d0c2033266f6ec7
SSDEEP

768:pfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAa:pfbIvYvZEyFKF6N4yS+AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2112	omsecor.exe
2544	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
2828	7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe
2828	7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe
2112	omsecor.exe
2112	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2112	2828	7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe	28
PID 2828 wrote to memory of 2112	2828	7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe	28
PID 2828 wrote to memory of 2112	2828	7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe	28
PID 2828 wrote to memory of 2112	2828	7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe	28
PID 2112 wrote to memory of 2544	2112	omsecor.exe	32
PID 2112 wrote to memory of 2544	2112	omsecor.exe	32
PID 2112 wrote to memory of 2544	2112	omsecor.exe	32
PID 2112 wrote to memory of 2544	2112	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe
"C:\Users\Admin\AppData\Local\Temp\7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
a61d57529b995b6e1b8597b59733022d

SHA1
5322722eba9ba32f43ec78a2eb95016ac11534d7

SHA256
0123955cb9dfbb37b1abfcc46384b249d3b077e113b8a070b6d5f7dd06c36c60

SHA512
408d8d4367d9b16b72dccfda64fda3f582b4cd80874c4960396deb9bc2ea16cccdd8b7fb3a78f9f700d7f0723f297ea302dc1aa4c0360bb95070d4f4839cf3d3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
73ae1ddce355be863336ed8a4fbc78f3

SHA1
910a0b873aae9e5ad3f47c996d07664867d6b08b

SHA256
91471622e46e2917f49067094701c8a1417b28b1babebac6ee515bd5c554f019

SHA512
aae87cce958a553ee32f667cd2a7b7b5ea05bb46939212db8e90cfc81b251f329aba4124c2d7ebecae95b62741f3fc3704bc3835596436e2709a91eee4d8ad85

Download Submit