neconyd | 0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
Size

89KB
MD5

cef4897610743d42e2166379784d01fc
SHA1

1917e52e8476c756bc1930afca8f283aa33688d5
SHA256

0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e
SHA512

cb905e9435a3ae511c8261a31e555fc03d658cc2ae4bc004fe3755391b5935b3be2fb152fcd4c92147cce7013dd2c156e38f53722f2c30f72c8e28ec29ad507d
SSDEEP

768:FMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAd:FbIvYvZEyFKF6N4yS+AQmZTl/5l

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1680	omsecor.exe
2928	omsecor.exe
4588	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 1680	3088	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	83
PID 3088 wrote to memory of 1680	3088	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	83
PID 3088 wrote to memory of 1680	3088	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	83
PID 1680 wrote to memory of 2928	1680	omsecor.exe	100
PID 1680 wrote to memory of 2928	1680	omsecor.exe	100
PID 1680 wrote to memory of 2928	1680	omsecor.exe	100
PID 2928 wrote to memory of 4588	2928	omsecor.exe	101
PID 2928 wrote to memory of 4588	2928	omsecor.exe	101
PID 2928 wrote to memory of 4588	2928	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
"C:\Users\Admin\AppData\Local\Temp\0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
22a23249d071959af5960664da952258

SHA1
c237ff52ee055587d70dab6e194f8eb09265c864

SHA256
65681e8887e938a9189efc9edb3703bdbf0dfdbfd6705ad8ec5ece364eb89a2e

SHA512
547f6f895694c54b58a86018b3219cc53005824918da3b4a5498e733de2445c4d87c722b412b20bf6e2d3f66c2aa6bd88e22f2d2d3eb0e95f53cbe3646bf0d0a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
986ba34f68eef4300641c5106fd9897c

SHA1
588e12e8a229efed7afe3dc537b880bff62607dc

SHA256
bd9510334fee11168f0a6934f6e17237d6842088ac7c4cab33118478d0ba4c18

SHA512
039272075e836c5914f479180f701c6b047d877b2fd7cf345997870dbf1c606684116a068e945efaa34ab7416048ff50e163c2ca85c7a6f681b1865553de58d7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
1a2bafee87be9e50458d78407c4e02d9

SHA1
1993bc4d02ba5531d7ac870184646b1ca5216258

SHA256
accfe6e1826e073de93a5b927b68f30815ca5ec8a89715a26aed2ca7f1a0e01e

SHA512
34db27a55780d174a92dcd8441c3a9c5b30dae2d410f68700c1946619e852536533fe0b1e0a228fba371ec0815cf371b20409ed83c42817efac3ca057f43993c

Download Submit