neconyd | 1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82

Resubmissions

12-01-2025 08:55

250112-kvltxsxqdj 10

12-01-2025 08:52

250112-ks6fjsxpgn 10

Analysis

max time kernel
893s
max time network
894s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe
Size

72KB
MD5

62722158cbc7ab4682bce34d39c83a60
SHA1

223c262a2527b205b3f79fb733c2d5f743f5ffab
SHA256

1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82
SHA512

942b309da503f6b1173ce74f1a82dd17009d56bb9f776622c852bb486923647a2d5198a2e85be46b22435429383aee9bbec98e4ee167d732fa872e83d05590fd
SSDEEP

1536:Gd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211X:+dseIOMEZEyFjEOFqTiQm5l/5211X

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1516	omsecor.exe
468	omsecor.exe
4316	omsecor.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 1516	3652	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe	83
PID 3652 wrote to memory of 1516	3652	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe	83
PID 3652 wrote to memory of 1516	3652	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe	83
PID 1516 wrote to memory of 468	1516	omsecor.exe	101
PID 1516 wrote to memory of 468	1516	omsecor.exe	101
PID 1516 wrote to memory of 468	1516	omsecor.exe	101
PID 468 wrote to memory of 4316	468	omsecor.exe	103
PID 468 wrote to memory of 4316	468	omsecor.exe	103
PID 468 wrote to memory of 4316	468	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe
C:\Users\Admin\AppData\Local\Temp\1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe cmd /c %TERMINATE% "SIGTERM"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\SysWOW64\omsecor.exe
      C:\Windows\SysWOW64\omsecor.exe /nomove
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
431659635728e53bea3d6c6ebde6d54b

SHA1
1a80524c9118834a269a626367270ca9e87358ab

SHA256
d046fba454870610ec302eefdbb9ddac8308fb24ae620203840407460fb7b88f

SHA512
4e0bcac0478538f34098177a8f1061db3bdc280fa2584fc60f04c3812e4943fd8a5c09f87d149c7f5401e2bf78fdbabcf5f74b380f4927bc8c5c1bcec50e65a3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
de768b491f079042ec25fc0b7f8035c8

SHA1
1033a3f8e790a462d5bbaa22703b0d76972eb8f0

SHA256
96fc4b41dddcdd61e4f64c900aeb4790db9bc3dde04f7dc5d247eefdf0aceeeb

SHA512
857a6b1fb167429d07930256726e91c3cc70d15d0618b3b60aa22b462c540236b3e9532e4d414c1b962821b8d76e490dc03080baa37183ace47228f886be3a76

Download Submit