neconyd | 1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
Size

65KB
MD5

c064549c82649f9e5e14e6fa3c6c011d
SHA1

459b8287523fe2a9bb354076b0b028d8fea5e52e
SHA256

1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6
SHA512

b71ca64e5513b60ae5ddd3e4f8fce324d1a32be6a463e5d802f46a8f41ea3fe05bb22f4ea647fcc2ef229d675cd2fa61d32dbc365f172154892d4d9e74ff4963
SSDEEP

1536:4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz/:IdseIO+EZEyFjEOFqTiQmRHz/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2316	omsecor.exe
1620	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2316	3192	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe	84
PID 3192 wrote to memory of 2316	3192	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe	84
PID 3192 wrote to memory of 2316	3192	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe	84
PID 2316 wrote to memory of 1620	2316	omsecor.exe	101
PID 2316 wrote to memory of 1620	2316	omsecor.exe	101
PID 2316 wrote to memory of 1620	2316	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
"C:\Users\Admin\AppData\Local\Temp\1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
a4afa73a120789b79866439e80615aff

SHA1
3d2c27342bef2f3b2b001a31937953a27f42a035

SHA256
41c12c5a13626fd9c4326a3b25cac1e07bb069750250b30914088844630b7943

SHA512
934ba1dd0bea2aaf08b6d8a2e100869200269dafff79b66cf4c41ba890a7334fa2798d040292d2159fd089b0317388ffaa8c4821ece50cb1dfc2faba6c2edab4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
b05e060607f43768f87ca4531b39a43e

SHA1
ee6ee6283ad6fa753b2209d224176d9b804209f1

SHA256
9605f435e49a1275e1c65cf5821e8d78d698ee902ab3aa4d3c7ac402bfc4ad5c

SHA512
a279cb2dd1aaed5c570310db2241bea5871ea86c68af62ea6e42457b432040bcfa6fc91c0611e43cd4430b098aede306477bf73553d3c4ac2b3724f5d0b49779

Download Submit
memory/1620-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1620-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2316-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2316-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2316-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3192-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3192-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download