neconyd | d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9a

Analysis

max time kernel
104s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe
Size

80KB
MD5

fb30f745ff7c2626a18b4391a78b8580
SHA1

a00c4a74b8e347e82409da5f39deb610ca61cabf
SHA256

d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9a
SHA512

b74006cfe59fa33bdb9cc7b8e7c484d80d0658503385bf592a83a121f9d81b9416654003f4dcd2a0c4087fb23d58257fbfe74136387ec228f11a5bb57a94faf6
SSDEEP

768:/fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:/fbIvYvZEyFKF6N4yS+AQmZTl/5S

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2356	omsecor.exe
5060	omsecor.exe
2996	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2356	1848	d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe	83
PID 1848 wrote to memory of 2356	1848	d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe	83
PID 1848 wrote to memory of 2356	1848	d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe	83
PID 2356 wrote to memory of 5060	2356	omsecor.exe	101
PID 2356 wrote to memory of 5060	2356	omsecor.exe	101
PID 2356 wrote to memory of 5060	2356	omsecor.exe	101
PID 5060 wrote to memory of 2996	5060	omsecor.exe	102
PID 5060 wrote to memory of 2996	5060	omsecor.exe	102
PID 5060 wrote to memory of 2996	5060	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe
"C:\Users\Admin\AppData\Local\Temp\d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
1a3355fbe3e7079f603decab29ae31bf

SHA1
ffc5db111070581b4010ccf84294914670f1dc66

SHA256
3facab62b68daf113491be7249e41c245d4e4deeb234a2d57d9c5866f7783a0e

SHA512
8a3792a5bda70f1a53199afa897f7dd9b4131240f4812e208802cddf46976b278ed6bc29bd3f09f85d9d24a37a5ab0f94e02ccabfd2974a9a2c947771c811526

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
4a3d6923b29e6dd5ab1348676334a0c5

SHA1
a52abee502c18e703d3d3c3a9c6b18779a216e41

SHA256
cebffc79063ed4878f2339ec5ed54ab0320d30efc13c277fef1eec2eaaea31d7

SHA512
3c86b9522ca407c0e223285f38a669f4673e65f4eb567757d9f1539b4b0d91c6a37865032260d4df2d7ef759ca3aed3eeeef35ca9df1a479a1e5ed4befb98289

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
15b523f3de12873ebc3e676a615aa322

SHA1
a2ae9eb8f8ee45cb884dcb040847ee61bb7b40cb

SHA256
6b32031871cb8259fa1a240c1bcce415ad73b6fb5239a2caa62225a5d2f71c42

SHA512
41386df8d1583c8c4207e71da7b10715773b0526f7b2cb60d6e0e510d7cdb26eba43dfd42075d53b04b6ee782ded125e7ebe0654f319b5af38910dff39c823ea

Download Submit