neconyd | 1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe
Size

61KB
MD5

09534757f4b64fd024a45cc653752a8e
SHA1

56d4789246d617c29d058c8a2cff3ddc32e7394c
SHA256

1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7
SHA512

7deee7ad0d96210149ee8fcdaeacc10403dcd735518bddc58bb5499eea4e47f2514d3ce1b07b61a65fb0cb8165760318bd1494c729434e6a5267ac67652892be
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZjl/5C:kdseIOMEZEyFjEOFqTiQmxl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1460	omsecor.exe
2064	omsecor.exe
5116	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 1460	4080	1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe	82
PID 4080 wrote to memory of 1460	4080	1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe	82
PID 4080 wrote to memory of 1460	4080	1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe	82
PID 1460 wrote to memory of 2064	1460	omsecor.exe	92
PID 1460 wrote to memory of 2064	1460	omsecor.exe	92
PID 1460 wrote to memory of 2064	1460	omsecor.exe	92
PID 2064 wrote to memory of 5116	2064	omsecor.exe	93
PID 2064 wrote to memory of 5116	2064	omsecor.exe	93
PID 2064 wrote to memory of 5116	2064	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe
"C:\Users\Admin\AppData\Local\Temp\1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
09076afe8fdc3ae2e324c0bced57f364

SHA1
a8f3a827ace7e912fed494369f0950f9c3194abd

SHA256
c63671de40d12c2b9fcc358661e16a0a09323728d31277ccc68d2081a5415175

SHA512
0ebfdc5a173482f1837ec78ad812a5233a6d77bf067ca729a5eef6b21594290963afeb9079df118178ebfd8c141a387d5f496ff65ef39463414c846b5e375722

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
26db7c016a583f578811e13cedcfdcbf

SHA1
aa7bb664a2e55869765012aa3ec2b7256ec1c850

SHA256
838f89384c7a5227e11a466791d2f391aec92c40aa26792f6cd28e8609c61551

SHA512
500921f79da5706064559cd9fd1cfd9f0903df328d53e4e54def91608b54d82c71478765937d6d7a1b9e2516adb063423493b7dbfdf7a7fc6b46767cf0485a8f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
aa4dbf1a7854f41b8d733a4c52302c4b

SHA1
ab63df91e9b2b85ef303824c08322ab607eecaae

SHA256
8a78adc0cf69154b60c0df8c51b2810aa5967cfbf63355946abc6a943975435d

SHA512
6d9130cc9654837e893c5b93c465350ca24e9dc0a97ed8a7f3becd71346dc53417cca08a6121d372b72519ce48e2fd61cb0f19d39d010f7139e793f8d3c41cf8

Download Submit