neconyd | f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe
Size

65KB
MD5

a92d13c049690b507dec08c60b31b63c
SHA1

3cfd1845b72a3f718f822c738f4f6d1f7d1a5e15
SHA256

f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be
SHA512

78028dd07b3cd83a7a53b14036afc544e377c625ea3cf1ee39e74101829c3c4d89a9a31ed1787fe975fda15f8f80cb85e52004558fa2144ffa0e0e24d8e793b9
SSDEEP

1536:Gd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/HzP:+dseIO+EZEyFjEOFqTiQmRHzP

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2672	omsecor.exe
4652	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2672	4736	f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe	83
PID 4736 wrote to memory of 2672	4736	f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe	83
PID 4736 wrote to memory of 2672	4736	f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe	83
PID 2672 wrote to memory of 4652	2672	omsecor.exe	101
PID 2672 wrote to memory of 4652	2672	omsecor.exe	101
PID 2672 wrote to memory of 4652	2672	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe
"C:\Users\Admin\AppData\Local\Temp\f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
d19b4b75a78f4cf59f8befa050be85b5

SHA1
bc40748f7f6c5be849e210beb0c515799096ece5

SHA256
08fee8c35b616190d57f9e0d271871c2f29ee53a41ae93fb2f4adb73234b3abc

SHA512
52ecff996c44f8bcf2d2d311b8df1e65fd82e98b0d9510e4115222444cffff504536d9eea14581e4b67782d7c05a4e8eaf4bd4dce42840c6cc5e148e116c886f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
360c09fc32877ead3d9c21c2c7e41317

SHA1
3945f28d924b2fa68c84f3e54e34734e2332f274

SHA256
84c97616f6fb079cff89d57ee7a9bb038b9bbadeb713f6a45465d18af6eef0d4

SHA512
d346c6739d4a39d8ade6a26a762c4a6f0ac6069093c187025a12310cdaee38dc41873a2e181b7b32c056386f4ee88f80b4f445b2f2802c62c142778489868b35

Download Submit
memory/2672-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2672-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2672-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4652-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4652-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4736-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4736-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download