neconyd | f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22N.exe
Size

89KB
MD5

953b5dcbee95440d38892ee7f4c84e50
SHA1

bad61f40f24102dc184116dbe839547816ba020f
SHA256

f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22
SHA512

5e9ffe005d1e3e383d9a6fc1b9892d734bd7a6ecc38b983a2136aed43aab1a0f754e277b1b66876056925fdd6b584b545ccddb5a0fe9bc1ac7b2b1a89becd0c4
SSDEEP

768:FMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAV:FbIvYvZEyFKF6N4yS+AQmZTl/59

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4828	omsecor.exe
2724	omsecor.exe
3244	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 4828	3024	f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22N.exe	85
PID 3024 wrote to memory of 4828	3024	f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22N.exe	85
PID 3024 wrote to memory of 4828	3024	f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22N.exe	85
PID 4828 wrote to memory of 2724	4828	omsecor.exe	102
PID 4828 wrote to memory of 2724	4828	omsecor.exe	102
PID 4828 wrote to memory of 2724	4828	omsecor.exe	102
PID 2724 wrote to memory of 3244	2724	omsecor.exe	103
PID 2724 wrote to memory of 3244	2724	omsecor.exe	103
PID 2724 wrote to memory of 3244	2724	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22N.exe
"C:\Users\Admin\AppData\Local\Temp\f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
43465eeb7797b034b211c4a226e091ca

SHA1
25fecdf95b35d4ac70a85453ce32b51c78190bac

SHA256
f461ffb01f35db7345e2fd32e9a8a6debba2153c26e5876f2bd8cd4e007b052e

SHA512
39aec87612cc9ad93a2e15c223dca8b9f9a65da1e5977bcf34eb3868fe6e509d40e9b0014c4d62fdace7d51b5df5189f307e3aab8e078de4cd414372d0888a45

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
67f1215eef7668f862d48acf41ae7e5d

SHA1
4a6828e76a3032f83f0f262425f18aacd628bfde

SHA256
af281d31c48a2aaeb0dc8fd8bc496fcd8f146cc84f9905e6bece20108c9ab01f

SHA512
807b5c8b17672ee6b332e99a338bb8136719a14625504ddf7b258326a085814f660f88b982f2448dc50b45680629652c868f11e93ae1c9583691df588f29b760

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
b71703af727c261bf84584302eeab18b

SHA1
a77eed1c9b6e36d6df280162607c6ff3d0e1d254

SHA256
fd99ae20b30efb25258f18131b42b6d2869ceb9d3c029da4459f06e52ceaa76c

SHA512
b54db22c82467a89d4e2e92b8606eedbce6c5d90796c41a798be41e7cb17dbf5227b0fe2e32ba999f6c6efa3bb78f6ccfdace0c5dbd536380f2ea9067e177ef7

Download Submit