neconyd | b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe
Size

80KB
MD5

e859b474b7545ffa83e375b8bdce5c5e
SHA1

741022331bc43fe920ec14e2bd0ca3802140f078
SHA256

b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389
SHA512

20039dc5131949439af5a6425754661de1b00de5648417f05c4a17ec02ddc45e305bf3600c678d9a0524445cf194bc8268217d06c1786ce859472c7f0fa4820f
SSDEEP

1536:9d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzL:1dseIOMEZEyFjEOFqTiQmOl/5xPvwP

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
5076	omsecor.exe
3788	omsecor.exe
516	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 5076	3644	b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe	82
PID 3644 wrote to memory of 5076	3644	b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe	82
PID 3644 wrote to memory of 5076	3644	b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe	82
PID 5076 wrote to memory of 3788	5076	omsecor.exe	92
PID 5076 wrote to memory of 3788	5076	omsecor.exe	92
PID 5076 wrote to memory of 3788	5076	omsecor.exe	92
PID 3788 wrote to memory of 516	3788	omsecor.exe	93
PID 3788 wrote to memory of 516	3788	omsecor.exe	93
PID 3788 wrote to memory of 516	3788	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe
"C:\Users\Admin\AppData\Local\Temp\b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
2e78cb43ad1e2be5b52242b5965a2b25

SHA1
3a8fc6d8ba9081bbe9988f6c30b1050122f2393f

SHA256
3c407d530196347f1c7b27d4a077829b7f9b858f2bef5be285e82686ab9d5c71

SHA512
e435e2d41a38ba95be132229675a1a2c1e8ec437f3cd04c3c37470fef08ece92f40343b5015141db758994ba57cfcc2a6f24971dc19e752c0729f8671ae958b9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
62ed41fd2b434afd520ca2855abe2951

SHA1
329fe5264b1239765586e771b06db45bc0f0637d

SHA256
2faf885b46e9b8b92822cd3548afc1d77679c4a16e201fc6c29608681a4424b7

SHA512
51d10dd4f4656d6bc202411f698ba75664347ac3b2ae648a6f58fadbc0b8c2af2326272766e27fad6278334ba4b8b8761f9f6d1dee23d7d0fd30f5242b80ad77

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
7677eb9f9948f914a7b664690aa1800a

SHA1
69b74f1c0139812006e8c3056f186d419fb26c0b

SHA256
c30610039bfb3326f49dbb7296d05cf09efe13d9be64815bc956e0f9a35b18a4

SHA512
3712a5f82386f4e0a80e19174e883ae3719d9e10fe5184b56f4b4fda96eb23597eabeda487bb2583ddaa949538fe10ba5a3f275cd3ad4b5c4b50f7d32af179ee

Download Submit