neconyd | e0c43625ac24f5146667cb9245f25aa2257c234ede6abd81e47d268bc1f2dd5b

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0c43625ac24f5146667cb9245f25aa2257c234ede6abd81e47d268bc1f2dd5b.exe
Size

72KB
MD5

b9630713921daf210591c095fef95477
SHA1

7c579ec9a1b6cef5319c2655601622066fe835e6
SHA256

e0c43625ac24f5146667cb9245f25aa2257c234ede6abd81e47d268bc1f2dd5b
SHA512

ad9a647e584f52044bf32d071b0f0a9989fdb4d5a214ce90a789adf1878deb32751e55c530b41b0b18e4969489b69ee06e257c042cf42054b60c1d91c590df96
SSDEEP

1536:Pd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/52113:ndseIOMEZEyFjEOFqTiQm5l/52113

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3640	omsecor.exe
2496	omsecor.exe
4696	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0c43625ac24f5146667cb9245f25aa2257c234ede6abd81e47d268bc1f2dd5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 3640	1680	e0c43625ac24f5146667cb9245f25aa2257c234ede6abd81e47d268bc1f2dd5b.exe	82
PID 1680 wrote to memory of 3640	1680	e0c43625ac24f5146667cb9245f25aa2257c234ede6abd81e47d268bc1f2dd5b.exe	82
PID 1680 wrote to memory of 3640	1680	e0c43625ac24f5146667cb9245f25aa2257c234ede6abd81e47d268bc1f2dd5b.exe	82
PID 3640 wrote to memory of 2496	3640	omsecor.exe	92
PID 3640 wrote to memory of 2496	3640	omsecor.exe	92
PID 3640 wrote to memory of 2496	3640	omsecor.exe	92
PID 2496 wrote to memory of 4696	2496	omsecor.exe	93
PID 2496 wrote to memory of 4696	2496	omsecor.exe	93
PID 2496 wrote to memory of 4696	2496	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\e0c43625ac24f5146667cb9245f25aa2257c234ede6abd81e47d268bc1f2dd5b.exe
"C:\Users\Admin\AppData\Local\Temp\e0c43625ac24f5146667cb9245f25aa2257c234ede6abd81e47d268bc1f2dd5b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
5dd102277008875a4d6fda78a502372a

SHA1
506c2b2e22e8e68de2637927a35361703add4591

SHA256
4407f58481fbca6866b6f3231dd43f11c9effe37cba09b2d42bf4d12c8cb3e98

SHA512
f96b5c039d638d1ea6d2f2bad3b79c12a07a33cfb0bd3ae4594726c3fa3c4df98bfaf33fcba228fd97b92bf1a91c4978e531eace3ff7d170d0d52d24280910cb

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
5d37743638ed91bc3ff4c1acdb30d462

SHA1
45d0faf34ad5fc56b995afb5a5cbecd8b73ac687

SHA256
0ba26afc8f34466ecef2a4c096ea122bf0e95ad721bdf2f02632291a1296cf3b

SHA512
fbb7d92b9c022e8fa648349e093b0fa68bbcf1638da3af39ce3c217349ce0e6569496c3acedad5985acfd92e640ac1dc1d1d94551b5d9040beef07e195d0f30a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
e048cca524eb75a5b74a4cf19bfe014a

SHA1
f94715607d96f3692c8eadd1091c3530d8e610a3

SHA256
0c535533679f7f7585280c67cb7c4b536500701d72b834e9f0df2a6858caef44

SHA512
44a05206c725e5dbb6492d498ec61216c7aac0170f8ad9e6c8a0ddf913e41ec4b4a16c4dcfe89d192d9c1b509d857a86aec6fe5757325cf8b4c25ab0bb9a4b7a

Download Submit