neconyd | 942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe
Size

76KB
MD5

f631c17e6769f71b0836e606bd8fc5b0
SHA1

cff9c884387f2790d6e6565ceae64a9c9cb92dc0
SHA256

942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126
SHA512

1049d9f39d70bade985f0de953689488677e369d5b695422794867a66d05cf8f4df04440182b2b76a7ca6e412da131fa70af2291f0f6fe42343d84151eed53ee
SSDEEP

768:mMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:mbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1256	omsecor.exe
3644	omsecor.exe
1724	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1256	1044	942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe	82
PID 1044 wrote to memory of 1256	1044	942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe	82
PID 1044 wrote to memory of 1256	1044	942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe	82
PID 1256 wrote to memory of 3644	1256	omsecor.exe	92
PID 1256 wrote to memory of 3644	1256	omsecor.exe	92
PID 1256 wrote to memory of 3644	1256	omsecor.exe	92
PID 3644 wrote to memory of 1724	3644	omsecor.exe	93
PID 3644 wrote to memory of 1724	3644	omsecor.exe	93
PID 3644 wrote to memory of 1724	3644	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe
"C:\Users\Admin\AppData\Local\Temp\942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
75ce8df77294c4ac60863f4b3de9dd13

SHA1
cf0d89ee86fcf4432136d09cb4aae0012ca20940

SHA256
32dcee33c1ae0fccb958088566b5ab9d10ea32ea481a1e63cf30bf5bdde4f42a

SHA512
f711d229144562448477e85d57faa63bf4bd270d3db00b7dfd364e33c55765584f8d4198f6d594f77bc47bfb6503631979dc4719499ebdd1f5843973bd4a056e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
74a63a3b32f0977396008d8553228e51

SHA1
4385d3359db01174a045a2a31658c2dc88282262

SHA256
1597be816a994bb52d8f5ab9de91955219fe5ba4b64bc511df70a891cb58bcdc

SHA512
e3bf8a51f84411e83d80abed2ef7f30acd6483810d5a59f57dfc385a53f780c012495519aabc94b99b1256878a934c2298a55db0342d030146f6bd99598bb0d5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
61e385d55807f8f05cec92b2a6e8dc77

SHA1
ce386dc412084c5dfea313deb26275d6d4ee732b

SHA256
8d14882a0cbaf836af0f39bb389881d20221378412f74b4000b0f85f9a6c44d6

SHA512
ce88aef4efbcd2d7f9c143950179f5cd30071289e5a32d6396de7cabd508d58edc9dac7b2d2da421f74da7e50493628d13e82b4ba9e16e267330891c15995153

Download Submit