neconyd | c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571d

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe
Size

65KB
MD5

d5d05acd29a4225bffef36e3d6fb1ee0
SHA1

007d469de21c5a9015762614677e2c8c6893c25b
SHA256

c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571d
SHA512

f02c620fc9b61d9f503c0bc269c9e2e6d0dfa1bb7436be697a4b0cf0a9df8c824a5afab16deeeb1c623c6c40878ebd8bc90ba81b32855d15cd791233b291293a
SSDEEP

1536:4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:IdseIO+EZEyFjEOFqTiQmRHz

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4620	omsecor.exe
1156	omsecor.exe
5116	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 4620	392	c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe	83
PID 392 wrote to memory of 4620	392	c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe	83
PID 392 wrote to memory of 4620	392	c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe	83
PID 4620 wrote to memory of 1156	4620	omsecor.exe	101
PID 4620 wrote to memory of 1156	4620	omsecor.exe	101
PID 4620 wrote to memory of 1156	4620	omsecor.exe	101
PID 1156 wrote to memory of 5116	1156	omsecor.exe	102
PID 1156 wrote to memory of 5116	1156	omsecor.exe	102
PID 1156 wrote to memory of 5116	1156	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe
"C:\Users\Admin\AppData\Local\Temp\c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
582a5979e0d2575f42592497612f6318

SHA1
ff3a8a4c5043454f97dff4bf32369f9f822aff93

SHA256
906fb940d5b450d14c5ee7f501f9ebac5a72377b534e8659867b84b58660f5e2

SHA512
4e55e03dcecf3e3df09cf0944f450924a6370d63a523a6a85506ae66090f81193be6b38630d5016280531ef5b925fbbb848bf39dc0a7b3d6bd2c1ba7256d4ae1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
35004040aa1834520e0517eec19d1afb

SHA1
d8f2fa63517fd03b80a095a059dcdd5c3dc4272e

SHA256
ab5b15e853e6e20c2a6bed85481cd5f38f2260ab2c18f3d347f86dfb1ccaf8b7

SHA512
be122f405a05a06a1b1d442bf1c26ad3d94a164027d219bb551805a0d093f4095caa7a9f36cf2be4c54100559c38c88be47b00f39efa185a693bf9d45d4e583b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
6af131cd1c4ceeaf604283f5d90880f9

SHA1
1664111a5a5ba8f96ad18eb7c598d75fd0042993

SHA256
0c86fb1c5fd3463e51d7fe48e44cb5b5fefff094211850b31c04d88a3c84d9d8

SHA512
1b8249ad5cba1333ae725413e87b419078a5bacf41211d09b18e56b8c95f42f52a86a059ccc654015f08e4096990f090f287faa15b5317d55c00aacdaf3a9c96

Download Submit
memory/392-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/392-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1156-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1156-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4620-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4620-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4620-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5116-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5116-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download