neconyd | a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6

Analysis

max time kernel
118s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
Size

80KB
MD5

069dad5b8bdad12163efc02202980084
SHA1

8f78016b6151df0adea2e245dcfeb695bc8489aa
SHA256

a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6
SHA512

c534c87d37c992de852caa3282d6bc1fac257a7bbef293c644d0e93bc20423b2cfd180d822321967a90dfe646528728a6f86e7b50af6e063f27c872c7f4cde9c
SSDEEP

1536:ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzT:6dseIOMEZEyFjEOFqTiQmOl/5xPvwX

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
960	omsecor.exe
4888	omsecor.exe
5088	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 960	1356	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe	83
PID 1356 wrote to memory of 960	1356	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe	83
PID 1356 wrote to memory of 960	1356	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe	83
PID 960 wrote to memory of 4888	960	omsecor.exe	100
PID 960 wrote to memory of 4888	960	omsecor.exe	100
PID 960 wrote to memory of 4888	960	omsecor.exe	100
PID 4888 wrote to memory of 5088	4888	omsecor.exe	101
PID 4888 wrote to memory of 5088	4888	omsecor.exe	101
PID 4888 wrote to memory of 5088	4888	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
"C:\Users\Admin\AppData\Local\Temp\a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
6d44aae1eac038afe34de21bd1f5528a

SHA1
5b0d610f7394145878dbb06e64c9660ddd6575f3

SHA256
e1ac4decec0d019d2be4399153981e13b75b15dbc1b7b27c3636ad0edd586ff1

SHA512
9404bcb45dfc8849b0d74fc80624990c772b762c488b3715c6f335994e399f28fce63fca0161611781dc1b1666714c8f98db7af974d15bbb476e600d2dd95aa6

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
1a499116d25692f1906357e558167ad7

SHA1
64040bb4b7efbba535604c6e0a63ff061a143553

SHA256
82c15929ac0cb6bda7e4957ef9703b3e182dd6bc69c846c81c79ef25f9292bd9

SHA512
bb00477a72276bb91af7f0deac8bfc1ea1ba50979da80ae0af0dbf13002c777898ed7f56f4f77602aea16ec73b4e4394368cb0ed165570d7595123de3f38cbdf

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
bce26b3d84df8c21b3ea09599492a2cd

SHA1
f208008706e93366c23d509398d9aefc733e469e

SHA256
5cda8cad0174a3afdf180c9720cd2dfcc2099aba00c468ede1a4cc42b51cbb65

SHA512
8eead4ad6b526d827d383543a86cc6711a11716708f0d970a238fed07685a3ca32bbd21dd38e219b9d1d24727e5b22060b8ea55b8f8156398ff250290569303b

Download Submit