neconyd | 44d7f7aeb34e71ba2c682a02a7a8e3ee10853a3ee3da5da074d963198a920e13

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44d7f7aeb34e71ba2c682a02a7a8e3ee10853a3ee3da5da074d963198a920e13.exe
Size

72KB
MD5

ce702c309268bd335ff5aed6ea8f642e
SHA1

a510ea50a34d82557ddd10241ab76444285dd86f
SHA256

44d7f7aeb34e71ba2c682a02a7a8e3ee10853a3ee3da5da074d963198a920e13
SHA512

124dd45b960eb4113cd37556f59ac5750acce05150276c016650a385fd90411f0066e23b3ed489ed627be3989bb7216165a12e4a604efe51ef7be1347804ca17
SSDEEP

1536:3d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211t:/dseIOMEZEyFjEOFqTiQm5l/5211t

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4744	omsecor.exe
4280	omsecor.exe
424	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44d7f7aeb34e71ba2c682a02a7a8e3ee10853a3ee3da5da074d963198a920e13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4744	3888	44d7f7aeb34e71ba2c682a02a7a8e3ee10853a3ee3da5da074d963198a920e13.exe	83
PID 3888 wrote to memory of 4744	3888	44d7f7aeb34e71ba2c682a02a7a8e3ee10853a3ee3da5da074d963198a920e13.exe	83
PID 3888 wrote to memory of 4744	3888	44d7f7aeb34e71ba2c682a02a7a8e3ee10853a3ee3da5da074d963198a920e13.exe	83
PID 4744 wrote to memory of 4280	4744	omsecor.exe	101
PID 4744 wrote to memory of 4280	4744	omsecor.exe	101
PID 4744 wrote to memory of 4280	4744	omsecor.exe	101
PID 4280 wrote to memory of 424	4280	omsecor.exe	102
PID 4280 wrote to memory of 424	4280	omsecor.exe	102
PID 4280 wrote to memory of 424	4280	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\44d7f7aeb34e71ba2c682a02a7a8e3ee10853a3ee3da5da074d963198a920e13.exe
"C:\Users\Admin\AppData\Local\Temp\44d7f7aeb34e71ba2c682a02a7a8e3ee10853a3ee3da5da074d963198a920e13.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
eecd4d24eea5323a586d85b9d3afa8bf

SHA1
31b047b8ce487d4084a267792a0c36d9554c31cd

SHA256
2dec7827cef496179356aaf83fc964153c85bb9796997a0eeda6224e39762538

SHA512
9813890be372852f56b93e0d4ef372b11e44d8b7e349ea69ab427029dee7129e94b77eee84fc56eb8f152a98e2d36c66b771035abcdf5f3149805414883d99f9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
89c3bbc4fb5b2e61249dc757895981e1

SHA1
87a375a4f3af566e691b396d333e6fe7e638ba85

SHA256
cbadfee086874003f0c667e1b6cb98cf1706b7ad24c41579db5252edbe2d05ee

SHA512
2e51a3fc413f013382de404bed2c6d1a76be8a610ec6ee56c41c83e4ed820d6fc1a0b871a625b97401896e1b04e375dfe95a0013cf0a047aa73884676ed1c6cb

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
748408f8e605a526e94b469d4cc52e45

SHA1
a41cfab21a801d933664936254d9d614142ad801

SHA256
5e28ec966d373c4f9857e2f3b54c9f4c303b7e567e8286f846bbf6e088519884

SHA512
946871977a2af1c9897369990e22828e72a6280c83355d439600795e5180e324cb60e1c4bf37a322ee2505e9bbe3352e097d8b1dc464ce6e5669e0036cebe88d

Download Submit