neconyd | 0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0

Analysis

max time kernel
83s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe
Size

76KB
MD5

3beeabe619f4a58aea904f4ce18a62a0
SHA1

f7a11cc96c03b5054f926c9dbd6548310c033304
SHA256

0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0
SHA512

45269d6a9c8f57fd96851a247972db9280ff08608b5071b9b3a6754885aee7fb1a5343608b7d9a293142a679566bf9d8fa5d4c9a610a9d2f5217627dfea952d2
SSDEEP

768:p2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWZ:kbIvYvZEyFKF6N4yS+AQmZTl/5OZ

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4232	omsecor.exe
1240	omsecor.exe
4500	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4232	2808	0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe	83
PID 2808 wrote to memory of 4232	2808	0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe	83
PID 2808 wrote to memory of 4232	2808	0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe	83
PID 4232 wrote to memory of 1240	4232	omsecor.exe	100
PID 4232 wrote to memory of 1240	4232	omsecor.exe	100
PID 4232 wrote to memory of 1240	4232	omsecor.exe	100
PID 1240 wrote to memory of 4500	1240	omsecor.exe	101
PID 1240 wrote to memory of 4500	1240	omsecor.exe	101
PID 1240 wrote to memory of 4500	1240	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe
"C:\Users\Admin\AppData\Local\Temp\0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
ed9fcc3348fa79c98feebbfb446ab26f

SHA1
56b20c25c5c5f7c677a7b06fd15a703ab95321a4

SHA256
61ffd3efd1bdee48e8d31a4a310fe785754354c9a0febd5ebbef2243fed292a2

SHA512
834aebeef64abe60394c8837c948590215a151829704f3aeec5540085b8a5fbe6805822db5f5ff56f3a22e8929c0275c7c9940c7b5065d7122f002ee4d2bbc50

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
6c9291262117056cd7309da503a52d47

SHA1
c4c9bc7d597a899c54f88756153bb4d5461bc795

SHA256
3f7b0355c43a2eb8a50420c6a5063703e373731c5caac79c6d8157fbdb137eee

SHA512
bd8c1c432208c515f5f39b474b2c727c70897a6c282c6c9038a9fc859b140faf1cef5c85ab43505ca26432206db89a38f4acc5854f942affbe71bb454c992e74

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
0c534cdee15ce9dab4283452fc28b514

SHA1
e2a02697734f2e0742af41d055d212b5604277fa

SHA256
6095676c35e2066c3c669ffb81158c1f685f0515a633a84b613d1423874e43b0

SHA512
44b22604f5d77622eb824d2d0147282c2c5f6f84dc9004bd8a21f8c2c86e48e2d8f423c51576b479dbc508aa35b2332df4abc8a9476ea0ceb826fb484f746497

Download Submit