neconyd | 1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe
Size

80KB
MD5

b0ef11bf09c019fa8d2e5122ee68d450
SHA1

5c8ed771b867951c04292faa15a7a9921ee5d739
SHA256

1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08
SHA512

0dbd02f777e92b95421e08dca4129094900877b1894b2d732b76de8b64ca600e77854247da755b6c1743b63a2d025b671a932ae8553c73215bfddea98b6415bc
SSDEEP

768:XfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:XfbIvYvZEyFKF6N4yS+AQmZTl/5S

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3524	omsecor.exe
4484	omsecor.exe
3660	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 3524	2364	1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe	83
PID 2364 wrote to memory of 3524	2364	1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe	83
PID 2364 wrote to memory of 3524	2364	1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe	83
PID 3524 wrote to memory of 4484	3524	omsecor.exe	99
PID 3524 wrote to memory of 4484	3524	omsecor.exe	99
PID 3524 wrote to memory of 4484	3524	omsecor.exe	99
PID 4484 wrote to memory of 3660	4484	omsecor.exe	100
PID 4484 wrote to memory of 3660	4484	omsecor.exe	100
PID 4484 wrote to memory of 3660	4484	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe
"C:\Users\Admin\AppData\Local\Temp\1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
862c8d8453fd214bc3d3f81f86360eda

SHA1
779cb8bfd8796729fef79b5fafaf2938601627bd

SHA256
7e75c9255a889e79e047177380f76d3e093e27f83d6c064e9becd4b2ae03a38f

SHA512
d04e4548d32daca558d2e72fb0de48e43ad5d916a5cebc0d44d4c290e4b8f665518dae68f77fb30d0ae61e64d81aa8db30759f0b46536493b5509a594594b964

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
96f11a22b41ac0587a2f63281678c76a

SHA1
b2c4eda51a6dc1020a0633d1a63b531139a4d501

SHA256
b407803f3eb01f017d7112d171d5ad5393221f3716d7f8dc0ef33f47aa299ff7

SHA512
df92a7e3ac34c1f6cdda7ae1959f5946272f4a8d202fbfc904690b2d11bc95539521a4628827a56480d226d5166408a50c8cda4644e8292524c347140a54aa6c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
410bf8f3891fb823a3e6d08e49383860

SHA1
1c087b47a8427dd31d499a18f19c499f16802dfa

SHA256
053b8704c47d1107e6a21bb61b6c706eb983c35d22f3f457f8e729ad8d956b71

SHA512
37efc4881b0cecf8a3c203f13a8c6e4886e10caeb744e5664650b1f1673b5319eca183b11abcf2d0c7fd59f269f039773c527f6df68cdb5daaed6d28489a10ed

Download Submit