neconyd | 3a078c9f2ad655866c1ebeb39522e76ae3037f684839f46b62895555621544c6

Analysis

max time kernel
106s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a078c9f2ad655866c1ebeb39522e76ae3037f684839f46b62895555621544c6.exe
Size

72KB
MD5

b1b70c779ade055d67a6972060d2db81
SHA1

a5ba3226d03d0388390a3b7bfd6eb20e07359552
SHA256

3a078c9f2ad655866c1ebeb39522e76ae3037f684839f46b62895555621544c6
SHA512

b0c817916cddb3c88f3f9cfaa66ce97720270134ae82dd1ccfc3008cd65ea210cf5e9dba43f6e957285362c5d407cecb67c494f5e659ae361cebca464ad76f78
SSDEEP

768:NMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWG:NbIvYvZEyFKF6N4yS+AQmZTl/5OG

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4372	omsecor.exe
2432	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a078c9f2ad655866c1ebeb39522e76ae3037f684839f46b62895555621544c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 4372	3908	3a078c9f2ad655866c1ebeb39522e76ae3037f684839f46b62895555621544c6.exe	83
PID 3908 wrote to memory of 4372	3908	3a078c9f2ad655866c1ebeb39522e76ae3037f684839f46b62895555621544c6.exe	83
PID 3908 wrote to memory of 4372	3908	3a078c9f2ad655866c1ebeb39522e76ae3037f684839f46b62895555621544c6.exe	83
PID 4372 wrote to memory of 2432	4372	omsecor.exe	101
PID 4372 wrote to memory of 2432	4372	omsecor.exe	101
PID 4372 wrote to memory of 2432	4372	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\3a078c9f2ad655866c1ebeb39522e76ae3037f684839f46b62895555621544c6.exe
"C:\Users\Admin\AppData\Local\Temp\3a078c9f2ad655866c1ebeb39522e76ae3037f684839f46b62895555621544c6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
f0bcf7c66ec3c829a0bf7128c1bed0ab

SHA1
83233abe5586d0972f453b3dc27f2ed37b9c187f

SHA256
70a10a4a9683543a3dd4b32cd438d26238a9484944e494cd4c5adc1356a2b9d2

SHA512
290a6bb93c58543bdad267aa86ddf65e3ab840fcc420127a2b048761acd1086aa5eb523d7c1725c6dfa8538e44e3f78e408c04b92d7814dbb405366058579854

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
4fa092aec5661d48890d623f7cb227b8

SHA1
7418fd64be8dc8dc0a83a7ed0803ae6b90d52646

SHA256
cb400fba24b17be2cde4b5f0dbf234994d8f980ce1c3977a6c7fc80976405a73

SHA512
655808caa56bc68f3dbcd7760be02c22b9b9d5fab5ec6a45d901943b36f66a69fe643f9446ac52807b7e57da6a07608531344e2d2fb65e5041ae7aa0640d6d81

Download Submit