neconyd | 5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe
Size

80KB
MD5

f97587f7b361193b7db0db38ad4fb970
SHA1

584034a137030cfcee780ef8835c5d7de588e081
SHA256

5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47
SHA512

157bd41c8dd5160f3270a02de352136f15368e632cd08573753dc0a81d3eb2179696e8f5daef7cff15735e0ad7a325ba567a9e4f6ff54befe3ebfc9d8457ccf9
SSDEEP

1536:0d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:MdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4580	omsecor.exe
3528	omsecor.exe
4940	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 4580	532	5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe	83
PID 532 wrote to memory of 4580	532	5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe	83
PID 532 wrote to memory of 4580	532	5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe	83
PID 4580 wrote to memory of 3528	4580	omsecor.exe	100
PID 4580 wrote to memory of 3528	4580	omsecor.exe	100
PID 4580 wrote to memory of 3528	4580	omsecor.exe	100
PID 3528 wrote to memory of 4940	3528	omsecor.exe	101
PID 3528 wrote to memory of 4940	3528	omsecor.exe	101
PID 3528 wrote to memory of 4940	3528	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe
"C:\Users\Admin\AppData\Local\Temp\5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
90f2ef9de6df1ffb936d2197a1bce4a0

SHA1
f927998855e78738d4ec9675fb96355e0f8fc3ee

SHA256
54337ea42b44fd8bd5720c6b4c2efc27b6505fcf629fb3174231a2513ed511ae

SHA512
9bb14e047c1592ccf287d1deb68ea2bb7c452e404fea9d9ca41a50a3a52c88080f8921c429c6eba0804185980f2fdf76497742ac8207e53b5a7acd63b30fe2c6

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
77747f222cd5cf4ebe7b1fb987aa71cb

SHA1
280957e938ce3b4cad37ed83178a19723d7f4d8a

SHA256
489db48d37861cd49820a03e80195a23c6fbfacc3ab3f78787cfe1b8dd3d4445

SHA512
69480b79172d30fea7bc7f51ab174717b912285d41d09a6bb82ad70bd1f7d7797dc90c1b9771e85212071bbdf5fb535d9fa917954eaa2ec23ac9ab4c7d3b1c2c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
7e425608010a6e12fd37818c0ec31edd

SHA1
2e18d18526ba0f83732b6db3dec0e80ffa09b6cd

SHA256
ba6ea32054df7ca4cf61eeb2db1053ad06aed4dd6b45a6f04d19f44f65c2e799

SHA512
7b4d33e85574205ba2f418c76b7c508a944fcebda75da6dde438e135138dfbc5580037cd28d27e7c2d82290d3176ca9d8d997cdabac99527a4be43461ba77f03

Download Submit