neconyd | 1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82

Resubmissions

12-01-2025 08:55

250112-kvltxsxqdj 10

12-01-2025 08:52

250112-ks6fjsxpgn 10

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe
Size

72KB
MD5

62722158cbc7ab4682bce34d39c83a60
SHA1

223c262a2527b205b3f79fb733c2d5f743f5ffab
SHA256

1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82
SHA512

942b309da503f6b1173ce74f1a82dd17009d56bb9f776622c852bb486923647a2d5198a2e85be46b22435429383aee9bbec98e4ee167d732fa872e83d05590fd
SSDEEP

1536:Gd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211X:+dseIOMEZEyFjEOFqTiQm5l/5211X

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3388	omsecor.exe
5084	omsecor.exe
3548	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 3388	2108	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe	82
PID 2108 wrote to memory of 3388	2108	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe	82
PID 2108 wrote to memory of 3388	2108	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe	82
PID 3388 wrote to memory of 5084	3388	omsecor.exe	92
PID 3388 wrote to memory of 5084	3388	omsecor.exe	92
PID 3388 wrote to memory of 5084	3388	omsecor.exe	92
PID 5084 wrote to memory of 3548	5084	omsecor.exe	93
PID 5084 wrote to memory of 3548	5084	omsecor.exe	93
PID 5084 wrote to memory of 3548	5084	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe
"C:\Users\Admin\AppData\Local\Temp\1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
6b986a51200680da24e99470d0e16cda

SHA1
347b2ce2be2edd34330ddd02dd635d31b4728a3a

SHA256
aeadc55105f7b6a01153dbe8643cbc484a0e8e7e79930363e7033a2735dae983

SHA512
808599a5911488fc476d20be9984b9fc2635afbf7cb7d3ccc97fe87edd2f73463b3eb6b42d3134a18dfd48efc9effb50aef867d5ccd545b98a1d5f0bf560e180

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
431659635728e53bea3d6c6ebde6d54b

SHA1
1a80524c9118834a269a626367270ca9e87358ab

SHA256
d046fba454870610ec302eefdbb9ddac8308fb24ae620203840407460fb7b88f

SHA512
4e0bcac0478538f34098177a8f1061db3bdc280fa2584fc60f04c3812e4943fd8a5c09f87d149c7f5401e2bf78fdbabcf5f74b380f4927bc8c5c1bcec50e65a3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
260686310a240fe58ab938eb5ad149b1

SHA1
d0238d6bf61c018a052d89d9def4204d1e695c9e

SHA256
fec4c52646fb1d1e2615db545840e3208c2332f21056983a4f7f9e0868526917

SHA512
ebc3e8e9d6a33e3a442ca351e03e36b9c0ed51dcd3c8c16e5d6192ecb4caf531f9f4a427269da8dd0c16ae66e04cf7b013e1e2e6312ac1c6534e7fe536889a94

Download Submit