neconyd | 43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe
Size

76KB
MD5

1076a4ca22700c9bd3071b3f5be10fca
SHA1

9f3ce9cf20ee6b47676cf2cdee7dbaffb2e41880
SHA256

43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03
SHA512

092873c0450e21eb8adc6f4d103dca5995e1f356baca69b8f1ee78c4c7695dcd21667b8a32f20bccf7d0041aabdd2569dfcd335a010af7fbbcfcf3bc667aff2a
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11V:kdseIOMEZEyFjEOFqaiQm5l/5w11V

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1484	omsecor.exe
3188	omsecor.exe
3600	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 1484	3304	43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe	83
PID 3304 wrote to memory of 1484	3304	43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe	83
PID 3304 wrote to memory of 1484	3304	43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe	83
PID 1484 wrote to memory of 3188	1484	omsecor.exe	101
PID 1484 wrote to memory of 3188	1484	omsecor.exe	101
PID 1484 wrote to memory of 3188	1484	omsecor.exe	101
PID 3188 wrote to memory of 3600	3188	omsecor.exe	102
PID 3188 wrote to memory of 3600	3188	omsecor.exe	102
PID 3188 wrote to memory of 3600	3188	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe
"C:\Users\Admin\AppData\Local\Temp\43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
84fbd9910a6189dc5bed4e577ddb2cf6

SHA1
6d092b96487d8bdeca111fedada77104201c2ebb

SHA256
edeebb9bfc6d7c960b449c8cd85a9b3bc4fba1d27cf5b82feebc37ec226bfbd7

SHA512
bcd4e4dc87e12e5a5ee3160822716363f127bf6cb157adc0e1256b8a7b99deeeaae0d977325a01b38903be30e102a08767d06d3cb9b7c5446a320350eeb11c47

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
813832ed98234dc5dc897d8c67b54771

SHA1
3af5098ef770ce3df082fdedd62f6bf235466963

SHA256
22dcdc423c734f3ea7a9c38b5c6301e0c63ba56ab41f79afd284a75b6dea39a3

SHA512
1e4dc7ee1506dfff1ebbdd50e7fed490ae5b9085ff34fc35d913fd04041996859527c37ada542192c6768821cd22b7300587ffd0d9f0a93ec6374be62bb26b0d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
d97a0adbfba81e6cc85e7e5085487392

SHA1
efc816252579d772def61b69a006ac4b8a5cb738

SHA256
92824860efaa0402479a6551007b715380b7b2021e099ff24d221bc3bcbb1e49

SHA512
32f6685526f1f1caded86f7e13676439301b6fabff981865b7ec53f6bb0a34d92a9f12554b6963473afffe4b3514af8f5ef2aa3fbc14fbd8bf1a386b2ff76224

Download Submit
memory/1484-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1484-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1484-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3188-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3188-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3304-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3304-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3600-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3600-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download