neconyd | e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe
Size

80KB
MD5

57f5f9371c3958b32fc9aa2b935df480
SHA1

40d2b22fe370d20e93dadf6d09683ac2d31f987b
SHA256

e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559
SHA512

9aead12a2521916681e1f68dcf244a1bcbb56cd454d39af0544d251eb7ed6bcf986973c6b2d0b4dc6884a87d1e531b3a34b4abbd4d2cf73d07680d373b2053c8
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:LdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
1792	omsecor.exe
4432	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 1792	4496	e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe	82
PID 4496 wrote to memory of 1792	4496	e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe	82
PID 4496 wrote to memory of 1792	4496	e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe	82
PID 1792 wrote to memory of 4432	1792	omsecor.exe	92
PID 1792 wrote to memory of 4432	1792	omsecor.exe	92
PID 1792 wrote to memory of 4432	1792	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe
"C:\Users\Admin\AppData\Local\Temp\e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
f97587f7b361193b7db0db38ad4fb970

SHA1
584034a137030cfcee780ef8835c5d7de588e081

SHA256
5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47

SHA512
157bd41c8dd5160f3270a02de352136f15368e632cd08573753dc0a81d3eb2179696e8f5daef7cff15735e0ad7a325ba567a9e4f6ff54befe3ebfc9d8457ccf9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
0bb1fb8af19c2b3412725297bb9b9968

SHA1
92b94442e63e3e40bd98cba4fb08ffb041d682ff

SHA256
f2b84736134badef76d476ae2cb5b7c708960c3507b1f76ebe1b71de77016cb9

SHA512
9784954b40c3e0b1a3882cd27b2d35990fcf78384c6ffce4e0d889592d432c36e55d0fed6c47948292af90b2ce72de7c127edbc666b350167ec60786490af79d

Download Submit