neconyd | 4d3e6ea9c8d7e205cda7f69d64fd1acb0a6ee1b47bfa549ea7439980a63179d4

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d3e6ea9c8d7e205cda7f69d64fd1acb0a6ee1b47bfa549ea7439980a63179d4.exe
Size

65KB
MD5

9eabfbe419aedf8740f9064e5f304e7f
SHA1

63b6d3cb7cefaaa720ac64c38b916195dab9068f
SHA256

4d3e6ea9c8d7e205cda7f69d64fd1acb0a6ee1b47bfa549ea7439980a63179d4
SHA512

f9351a87df69da31a60f9bbf4f4be79769d8d311355bde4e48b0644a9c1ccd311aa1ef93b4cc49c9453aeaa26a8c8df973bfcdeacfe94786ac7fc61d48edcd7f
SSDEEP

1536:4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/HzF:IdseIO+EZEyFjEOFqTiQmRHzF

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2536	omsecor.exe
3328	omsecor.exe
1104	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d3e6ea9c8d7e205cda7f69d64fd1acb0a6ee1b47bfa549ea7439980a63179d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2536	2336	4d3e6ea9c8d7e205cda7f69d64fd1acb0a6ee1b47bfa549ea7439980a63179d4.exe	83
PID 2336 wrote to memory of 2536	2336	4d3e6ea9c8d7e205cda7f69d64fd1acb0a6ee1b47bfa549ea7439980a63179d4.exe	83
PID 2336 wrote to memory of 2536	2336	4d3e6ea9c8d7e205cda7f69d64fd1acb0a6ee1b47bfa549ea7439980a63179d4.exe	83
PID 2536 wrote to memory of 3328	2536	omsecor.exe	99
PID 2536 wrote to memory of 3328	2536	omsecor.exe	99
PID 2536 wrote to memory of 3328	2536	omsecor.exe	99
PID 3328 wrote to memory of 1104	3328	omsecor.exe	100
PID 3328 wrote to memory of 1104	3328	omsecor.exe	100
PID 3328 wrote to memory of 1104	3328	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\4d3e6ea9c8d7e205cda7f69d64fd1acb0a6ee1b47bfa549ea7439980a63179d4.exe
"C:\Users\Admin\AppData\Local\Temp\4d3e6ea9c8d7e205cda7f69d64fd1acb0a6ee1b47bfa549ea7439980a63179d4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
5bb7a61b1e757cdad2df8a89fec82f2e

SHA1
848804982fb762e0eb759f42bbc29b9585e30ada

SHA256
921f76f4eeb50c06c01474e7a5a0aee3703cd942919f68a7272493fb6d03ea14

SHA512
edb0b10097e1d5cc22f0971f6f04f6734a7eab734c533d0b00ab7fbcab2a6efd182fb642cf062f87ddd71c3e3f59308e3cf21db19c52cb7b632bc9fa60611d0b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
cee1a4ab1fe0e299d506cc51ba85eb42

SHA1
0e4e690791058adf43b408ee795c2b3e78e8d54b

SHA256
75d899f71e1a999df065356179746d49707e3105cd31484d2016d18031763d74

SHA512
e069cd759483a27a1c13c6e909059fa126bb3b5f5d58a7ace3ead708f6f951d6975573d257c6e461fc06e15af412526dc5a67105a6be4474f6dce2c1116773c9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
fd287876619c22dcaeb59796cbe050b1

SHA1
35b79947b241998ea748e093ebf837b53b6046d6

SHA256
3a0f5874a40039cdbeca14f0632cf0418c558ecd94144cb0fdc71f3933d1cc03

SHA512
1bc72d4df0d0054dc747e667c9bd27d2fe489e69d288121b1cc5a80466e6d0a4526478a8854b6e3b5786908b26848bc3723e10b2941b73b8ad269c81d2d9667f

Download Submit
memory/1104-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1104-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2336-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2336-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2536-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2536-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2536-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3328-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3328-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download