neconyd | 3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60a

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe
Size

76KB
MD5

bedb4810e0fdcac907fc66cdd659ab40
SHA1

e14e0d31be41d8c5436d4f1fe1030534d65e1b53
SHA256

3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60a
SHA512

c4c791fe7139920df90a9c22b0651d35bc80e0f2829df083f366a9337ec8b2fc706e4fa15955b8b41a54a9aaeb85a61da01ffb6fb59792a496005dda3c917e68
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11T:XdseIOMEZEyFjEOFqaiQm5l/5w11T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2300	omsecor.exe
4460	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 2300	3352	3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe	82
PID 3352 wrote to memory of 2300	3352	3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe	82
PID 3352 wrote to memory of 2300	3352	3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe	82
PID 2300 wrote to memory of 4460	2300	omsecor.exe	92
PID 2300 wrote to memory of 4460	2300	omsecor.exe	92
PID 2300 wrote to memory of 4460	2300	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe
"C:\Users\Admin\AppData\Local\Temp\3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
402e67f3b5e8009ecfd54bb3f3ffda2f

SHA1
d5aaf50c059edde3b959492308c6c58fde28f9c9

SHA256
22b915b62a07e2f53f32b89c489ff030d68e582acaf09da6bc5c0711942507bd

SHA512
3cb5f53c8f8eb2ce9e53fc150703c39b80801d39125db334b8d0fa4bd56cdc999b6b86f2aaa2949e04072e4cd402f0fdbc8e2b0ad2a56f8fcea61bb3fa49de4f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
34044f21d648125e96d26b66928be01e

SHA1
9396276e41681776bfdfb9f1420f7be133456634

SHA256
b8d4a29aa6a43eb6c94a3c98e8cf772806b40a18116d4c5e08efda95567fc830

SHA512
c2dd3d2e10c159cc7f016a2f6b4318a2bb83a3230fffd8150d4ae12fad225ff9cb9378c6a7fe3f6dd6f7b9e0b7eae943df9b5ea75f7ff459436ab9acf55719c9

Download Submit
memory/2300-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2300-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2300-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3352-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3352-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4460-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4460-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download