neconyd | 8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe
Size

65KB
MD5

604765030c1e27ffb16c2845b8ecbffd
SHA1

3d627af1c443c50ee1fc3bcdc4f583b8912b1820
SHA256

8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488
SHA512

80bb3e2b412f202f10a185fc0321ea6413d9153194387aca2d402b0af028c6069382d8e07ae2888b4f721e6812e0c255181c9208c2933b5202f44d17c12dc955
SSDEEP

1536:Bd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/HzV:xdseIO+EZEyFjEOFqTiQmRHzV

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
1016	omsecor.exe
3328	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1016	5072	8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe	82
PID 5072 wrote to memory of 1016	5072	8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe	82
PID 5072 wrote to memory of 1016	5072	8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe	82
PID 1016 wrote to memory of 3328	1016	omsecor.exe	92
PID 1016 wrote to memory of 3328	1016	omsecor.exe	92
PID 1016 wrote to memory of 3328	1016	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe
"C:\Users\Admin\AppData\Local\Temp\8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
3227b7de0cc359584baad0495fd4afd5

SHA1
2d3c0581537fb466ef47a23e56e6301bc13687a3

SHA256
0fc3cf8e661ce29fdd951ac43ed1a664a143af057e58914cb3517c28a761eb18

SHA512
e6248373848017d1218915ba6342e7c8ec5ded1051547ae71cb44b1e5d4e5bb6a020b35e92343353e36fcbd1f532ba274997ac65ca10653ddfaafdb54cd5f67b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
0af09ed2e5c4eeacdd9bc2f4e83f67bb

SHA1
e6635407162a08644e1d7a01a923483e5096d70b

SHA256
5b8ce4b045726315f68ae094934f6841ac16fa30134b995aeabb76b9a246db3e

SHA512
7fc7288214d3b383dfc2d79bff23be33964ed4a5e0d6805d1690fc20fe5da31c7266be2cca5cf228ae4d007050d897489febf99e7605b68114199741a34851e8

Download Submit
memory/1016-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1016-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1016-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3328-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3328-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5072-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5072-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download