neconyd | 0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
Size

89KB
MD5

cef4897610743d42e2166379784d01fc
SHA1

1917e52e8476c756bc1930afca8f283aa33688d5
SHA256

0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e
SHA512

cb905e9435a3ae511c8261a31e555fc03d658cc2ae4bc004fe3755391b5935b3be2fb152fcd4c92147cce7013dd2c156e38f53722f2c30f72c8e28ec29ad507d
SSDEEP

768:FMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAd:FbIvYvZEyFKF6N4yS+AQmZTl/5l

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2496	omsecor.exe
4892	omsecor.exe
812	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2496	4824	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	83
PID 4824 wrote to memory of 2496	4824	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	83
PID 4824 wrote to memory of 2496	4824	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	83
PID 2496 wrote to memory of 4892	2496	omsecor.exe	99
PID 2496 wrote to memory of 4892	2496	omsecor.exe	99
PID 2496 wrote to memory of 4892	2496	omsecor.exe	99
PID 4892 wrote to memory of 812	4892	omsecor.exe	100
PID 4892 wrote to memory of 812	4892	omsecor.exe	100
PID 4892 wrote to memory of 812	4892	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
"C:\Users\Admin\AppData\Local\Temp\0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
5f8f1358210358bc2b1e2da613f0fdfa

SHA1
768507277f1562d2e458634b441c63242a719e7a

SHA256
3578b779922fb6d4c3d0a773890f677641c03ffff360032c2dd5fc942db101a5

SHA512
0c3ea08298958c11e0653bc510938d0cc40836b4309ac322979b3393eb814a1f740e8d7858ecdc079c3bfd44563a9b8430141a162c376feafd74e83d0743f76a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
986ba34f68eef4300641c5106fd9897c

SHA1
588e12e8a229efed7afe3dc537b880bff62607dc

SHA256
bd9510334fee11168f0a6934f6e17237d6842088ac7c4cab33118478d0ba4c18

SHA512
039272075e836c5914f479180f701c6b047d877b2fd7cf345997870dbf1c606684116a068e945efaa34ab7416048ff50e163c2ca85c7a6f681b1865553de58d7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
afa2b50fa59ceeed83f44f45933ca799

SHA1
a16d6e585e0c0018c7af54b42240943296a50661

SHA256
fd1adc45441156ea95c61d9fd84e4249b51b3ca11224315b2612d6f99cfdbde0

SHA512
40d46d4b36382e569c49699e736a03b0a2b6a282240cfe171e0445e351be16f530696046d516c028fef67f03aa25e5f4ed9e81cc9a8b149a26904de2d3e9f2e2

Download Submit