neconyd | 981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe
Size

61KB
MD5

1d429541a12776cd14dff027a4dbd4ff
SHA1

ccfc261cb2cd7e534957f8f90c1d6869a4ac3cd5
SHA256

981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9
SHA512

05c1ebaa68292a96ac52e4ede6524b1c3907d72e81c479bf842b0222bb30a5413ec3aef53eacbc3b389a24c57041d715876e326626c117dea59340dd069a7f37
SSDEEP

1536:ed9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZll/5/:GdseIOMEZEyFjEOFqTiQmPl/5/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
5052	omsecor.exe
4940	omsecor.exe
1464	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 5052	664	981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe	83
PID 664 wrote to memory of 5052	664	981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe	83
PID 664 wrote to memory of 5052	664	981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe	83
PID 5052 wrote to memory of 4940	5052	omsecor.exe	99
PID 5052 wrote to memory of 4940	5052	omsecor.exe	99
PID 5052 wrote to memory of 4940	5052	omsecor.exe	99
PID 4940 wrote to memory of 1464	4940	omsecor.exe	100
PID 4940 wrote to memory of 1464	4940	omsecor.exe	100
PID 4940 wrote to memory of 1464	4940	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe
"C:\Users\Admin\AppData\Local\Temp\981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:664
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
696a98abbfc52cbb935499f17c52234c

SHA1
0648ceda4cddc4875371533e9e5066074f33161d

SHA256
5b3b77d7b530a0878f600cd80fa8594742b725c62bd1f07ddf0c7084bf30c177

SHA512
a1aef773d9a57707f303651631c4c8ff9dee8ba612da0fa98d6f66fe6e6b0b1101ade85ebcdc48a688830f2fd95c04fc019b6d5b2ef0cc83b6cf6888f863a8d4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
62a1de0ab68e289ed6c5e6e39f79ab4e

SHA1
92dbb49e36eb3c32de2bbed45412258e3d5422ab

SHA256
afa7b5a6326712c5cb5dfda7aa0a9bc2586820977316f47700d73e9d525e1514

SHA512
f23a2d444ae79ded95571562371a744ae0eaf42f4db3f22213d0ffe429061cc8b3c57bf7099ae838d62eb27e3a625c535763ea5e2f1d7d845c3deca4e29f23f6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
b039b05b0025bfa6e72e65bd4493ef4b

SHA1
20f237415fb8d49f761e8e41d0ca3985a8781d34

SHA256
bd324dc13296eeb6fe6cc598b8ee5b4c1b64b50b81ad175e064838eac603f845

SHA512
f70d6ce34ef30e1d134187304c1cb3cdcb3e6a8f8d534fb698c076098abf72c053eefb3a58ac20cfc67b39cb5bd54e13eb9498cdb87a5f92fabecd33535a9f6a

Download Submit