neconyd | 8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe
Size

80KB
MD5

fd4b4b9bf0ea8788ce2983a134672113
SHA1

75bf364ed59ea1167ee302cdf85453d91ab963a3
SHA256

8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2
SHA512

98cd5d2bc87901673b1e56fdec2d5c82a552c9f91e2b26d62059b740231174dc7e74bd8ada7592cd8103ca01da3a60862b22dd9b6c04d43a41c4ef7dd9c5b211
SSDEEP

768:6fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:6fbIvYvZEyFKF6N4yS+AQmZTl/5S

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4800	omsecor.exe
1252	omsecor.exe
4520	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 4800	3460	8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe	82
PID 3460 wrote to memory of 4800	3460	8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe	82
PID 3460 wrote to memory of 4800	3460	8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe	82
PID 4800 wrote to memory of 1252	4800	omsecor.exe	92
PID 4800 wrote to memory of 1252	4800	omsecor.exe	92
PID 4800 wrote to memory of 1252	4800	omsecor.exe	92
PID 1252 wrote to memory of 4520	1252	omsecor.exe	93
PID 1252 wrote to memory of 4520	1252	omsecor.exe	93
PID 1252 wrote to memory of 4520	1252	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe
"C:\Users\Admin\AppData\Local\Temp\8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
811e50a5d1882b0ddec5e0b6e5099270

SHA1
7d5d0545acf704d4a0768e5e6af24e98ddf02ce6

SHA256
f41021002d60f7e71d264636f6ab54adcf23490f557f42910e29e3fb633b2cc2

SHA512
8bbd8143c4946e0b2b557a94614a8f66277cd53ef980a43304c5dd961fe5568e273f5c3ebe3c80365c7ec31358ea70e99ef742e3af07d07070033dfed54ad453

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
d3cddd2cea949afa68df39879b0f90c1

SHA1
0f4af3965755d007025531e2cebf8c5061f70722

SHA256
0d0d65d631d44b56b238b2979cd40f2e1fc79673f2086ddd17586f66dceb4797

SHA512
c3834dd7384dffcc59c119c6634c1d9d3e947a1ddc3e5045184a625b6869c148d65dc82871d97822ee64883bc7b9380e5c9353f73ee3ee364d45ccaf05c9c981

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
d2914713aae324071621f8a8c1836167

SHA1
a74e9d4fd27e648284607418210184e272152353

SHA256
fb4843bd90cef2262611964b832291e72317cb2fb381af1aab291b5fd47e3e09

SHA512
818a6fa7145b133e7f45ab811f3638c178bad3d748739808bb87b53f0b5ece660e4e4bfd9e8750a20f105df204792cedf269fabc6c8dec569dda5235d2421932

Download Submit