neconyd | 6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe
Size

65KB
MD5

bb250af5f098117ea109a96e7335ec27
SHA1

6e7ef84c96da818949bae42abf5c10ae5746a38e
SHA256

6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab
SHA512

0e4ed40a1ee54127ccefa7776e4a655b3119383c591da05f2ce9663cf4c294b9d9873e3cee06547a5c5f5f3a959f14d795730777eba4198675736dabe46af7d2
SSDEEP

1536:hd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/HzX:RdseIO+EZEyFjEOFqTiQmRHzX

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
1516	omsecor.exe
2684	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1516	3612	6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe	83
PID 3612 wrote to memory of 1516	3612	6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe	83
PID 3612 wrote to memory of 1516	3612	6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe	83
PID 1516 wrote to memory of 2684	1516	omsecor.exe	100
PID 1516 wrote to memory of 2684	1516	omsecor.exe	100
PID 1516 wrote to memory of 2684	1516	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe
"C:\Users\Admin\AppData\Local\Temp\6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
7824bffb3b4db752493dcfa3e7627c90

SHA1
60b5be9fae8289ce290e63136a88e2f4c7583894

SHA256
e16ce8350619d63ee8b90dcdce1ddd010968a4232d51092c853c648b56314dd9

SHA512
ea6ff30a04e03e4cf05b6d995862e5c98f40d8fb3806bc9e99fbe6d1392b879114d182490f34ce62675a9b652b4627dca893dd0dc991a209e6038d9ee987dde5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
662a0afa3357dab2635c99412ea04299

SHA1
66e939cb2adf6aa1bf820092715f3c24189d5060

SHA256
5bb56347eb29bc24d7436f1dc013094a26b6b608bda1887d3bb459f8670cdb93

SHA512
90c4d1de9018072b21ae9ad007cbcb20116fe5ff2ebecf285f860c2399782fe86e79a933937d7776d3bb15982455e0bec54f0018dfd47c89fb0be419eb846864

Download Submit
memory/1516-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1516-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1516-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2684-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2684-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3612-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3612-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download