neconyd | 6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe
Size

72KB
MD5

dfd32fa7fff9694bdafb4f39ecf82430
SHA1

8592f7d91c217b97b1a48b80d795302414572870
SHA256

6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7
SHA512

c09245e97f1e3533745f86a5376a054fa286e1f1ea8c921e9c557297bbc57b7e54888ce0099c3497cb0320b994f28ab0c1172febaf849a1020651a854469182d
SSDEEP

1536:yd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211X:CdseIOMEZEyFjEOFqTiQm5l/5211X

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4852	omsecor.exe
3280	omsecor.exe
3848	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 4852	2348	6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe	83
PID 2348 wrote to memory of 4852	2348	6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe	83
PID 2348 wrote to memory of 4852	2348	6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe	83
PID 4852 wrote to memory of 3280	4852	omsecor.exe	102
PID 4852 wrote to memory of 3280	4852	omsecor.exe	102
PID 4852 wrote to memory of 3280	4852	omsecor.exe	102
PID 3280 wrote to memory of 3848	3280	omsecor.exe	103
PID 3280 wrote to memory of 3848	3280	omsecor.exe	103
PID 3280 wrote to memory of 3848	3280	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe
"C:\Users\Admin\AppData\Local\Temp\6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
606b3973e00c12d3ad6412e1ee0b56f5

SHA1
84c5fc93abb19cd1dbff36dbf35c67567e009485

SHA256
b617237fce62b575c37e4c536f1fa1f64fc7ed97011543f0acd8a72341e5f16e

SHA512
e2d126e00f42a67c45e12bf81a6fcf7f590620c57db056d33f8f52e44060f48d2ce908abf8c60497b4725b8e5ed9399cc5116cb955c381db1d67a26a17923c88

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
f9ec3aa78a555730bd33b724f1e60a1a

SHA1
2672956ddcf4032b179ddc2e0f0b0161caf72560

SHA256
1b3c10eca785706ec0151f2c7c4b77f79fe01fbe3063ed76ed54dd433cda874b

SHA512
285c34a662bf5b2a4ee7d7a414e266cfbf87bfb623cf36a8253f0c9b453326f5ba7c946442d391360757d25ecef0860305939f58389f2db81439d95a3a0e8191

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
bce28d023e500e1cded59509b21573c1

SHA1
d2cc8f1c2b7b8cbcba352504acbd400032ac9745

SHA256
4c57f41536beffeb91b4cdd7cbd8e9806f3b8d6afc1a46da592ab8bad516866b

SHA512
05321a2e189dc9182e9ec016dcb2840ddf790ecb6773b7118675cf7528fc5c82da15da4cdb842f0bdd6f0863f6375a5c7c2e68fcb97b871f43ef85d534caf1be

Download Submit