neconyd | c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe
Size

71KB
MD5

71bb744abacc0cc2d91122f40518e400
SHA1

2696b4941186d1311c3fbcd6e9c821bce6be5cbd
SHA256

c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071
SHA512

fd6043c84c4ea3d077f25cfc663cc0383bc526d4845ab251c803854ad9051db6d612d472a6d1fff667843627861d9e72648581eabbff962545ac4432ee1ea840
SSDEEP

1536:/d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:3dseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3144	omsecor.exe
548	omsecor.exe
4236	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 3144	3116	c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe	85
PID 3116 wrote to memory of 3144	3116	c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe	85
PID 3116 wrote to memory of 3144	3116	c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe	85
PID 3144 wrote to memory of 548	3144	omsecor.exe	102
PID 3144 wrote to memory of 548	3144	omsecor.exe	102
PID 3144 wrote to memory of 548	3144	omsecor.exe	102
PID 548 wrote to memory of 4236	548	omsecor.exe	103
PID 548 wrote to memory of 4236	548	omsecor.exe	103
PID 548 wrote to memory of 4236	548	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe
"C:\Users\Admin\AppData\Local\Temp\c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
bb3430677cf613f96df4715c8d943634

SHA1
212224ee395b87f5e6e6f1d2aa950cb7e43fb1cb

SHA256
eca6d5261addcc936adc3293885e31fc43efa760ace7b6a87b092f30d5ba1576

SHA512
73e581c09d90fdac57969d075c96d3c4d2ec0bef2d4edfda24a2a4b52871e68d28249a932cedf5c0e2797de6cf314c0491f8dcc8048b18356a7d11003c2efd5e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
03cb7f6f015752357265d67fc886541b

SHA1
a3271d6c2551f5b556262002cc0d779974b54889

SHA256
0b40578b66ec87d50aefaebf463ea6f0b80ee7d83cfb145e5733a1fba0600dee

SHA512
067c76adca86db50ab4ec96545f58cf112d6ecb662ae3173ae50ec4038aa36dd4c8b1979233955951249111f846550e9d9ae54829c0b1a462ca1218698302075

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
4863e5833e7723593ffc8f3eafe5f2a3

SHA1
bf92dac90215910bdbb5914462337d83228d3e39

SHA256
aab75a507e8230f79a614cf74877d099af117c2c403c550b1e5790223258753d

SHA512
bd32a9680211fc38cabcaa74ce61fb17673f539f0e702e401a67d87625f0942fb5a9cb6d95c4423d55688c2e2b0fb0e4b851f572b30143bd2a3a3e3b3a83ec80

Download Submit
memory/548-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/548-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3116-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3116-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3144-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3144-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3144-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4236-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4236-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download