neconyd | 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2025, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
Size

65KB
MD5

e61c59c5b1a01e9e2a31877ed0d17600
SHA1

c8058a611ae1788aa0bbb8ff1559bc3b58b350a7
SHA256

4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820
SHA512

eadc80af64e8ea5220b76be7e2e99ac15797c009c0878c64959b60ed415e892671122b4c1a101d695b4c776a117cc2997a57b06304b949eb3d4c02408395f8b0
SSDEEP

1536:Gd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:+dseIO+EZEyFjEOFqTiQmRHzl

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2208	omsecor.exe
2120	omsecor.exe
1312	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 2208	4860	4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe	82
PID 4860 wrote to memory of 2208	4860	4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe	82
PID 4860 wrote to memory of 2208	4860	4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe	82
PID 2208 wrote to memory of 2120	2208	omsecor.exe	92
PID 2208 wrote to memory of 2120	2208	omsecor.exe	92
PID 2208 wrote to memory of 2120	2208	omsecor.exe	92
PID 2120 wrote to memory of 1312	2120	omsecor.exe	93
PID 2120 wrote to memory of 1312	2120	omsecor.exe	93
PID 2120 wrote to memory of 1312	2120	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
"C:\Users\Admin\AppData\Local\Temp\4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
150c5b65d14f19a666995e1e64945ef7

SHA1
c1060e938b0f54369fe182a8d3c3194e5508ebfe

SHA256
e3b721d70e049bc37c717520135a71d06575988d515ec54efab1b5ebcc20fdc3

SHA512
d8def34773ab137300f956b1880d2c95f38b718cddc5300b7c39cea4181b9bf42126768dde3c9df3c3b0ef0a2b78253fc4e2b3a970bc89d4af9d7a7b1d7c5031

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
1e84a6e10f2eed342b1e56e1822fb3a7

SHA1
70f9247a0d69dff58d58fd34ee042e8bcf97f661

SHA256
aadbf4a32530e19514963b21ea873d660683e05861b975cc997b40d5b5da223e

SHA512
cdbc37ee0e79cc580db2ba3d35c9740e99336d81001ca0fb04606db409a23de103e34b86bd58060b546c36611de97e68325fe23590bafaff0519ae3fb1c35610

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
79ceaa6ce8169465f003967cc94189a3

SHA1
d4ac30383f29196b18c3f2bd00fd6521182e7cd6

SHA256
e865879b40a051a711d044ddec3bbcedeee7a7e1ba886d588b92466b7e2e39d2

SHA512
f2518d1812eb76b5071d7e420d3d9da08fad07a8e760eb7da3175aba616f2f3f98713db975cbb46d59f4abb32e565ee958cba3fb858bfd7109777f842318841e

Download Submit
memory/1312-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1312-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2120-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2120-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4860-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4860-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download