neconyd | 17360f7e478974170e678c862f2055162d89bb7b8e5be36f4a08873ec92e0c9f

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17360f7e478974170e678c862f2055162d89bb7b8e5be36f4a08873ec92e0c9f.exe
Size

61KB
MD5

a74cb5983f2c35758dbfb8918f1c1de3
SHA1

8d44cd64264c145feeb9ce87f9a77e4c3edca65e
SHA256

17360f7e478974170e678c862f2055162d89bb7b8e5be36f4a08873ec92e0c9f
SHA512

4cc0792d2bb0ba057a0812262adabdc076a9bca756b25ee8b8a3fdda9d2e4e6b888c3202dac93b1397d75a61dd674125014a59a8e853c942c6bd308e90530bf3
SSDEEP

1536:Cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZll/5:ydseIOMEZEyFjEOFqTiQmPl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1428	omsecor.exe
4108	omsecor.exe
1644	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17360f7e478974170e678c862f2055162d89bb7b8e5be36f4a08873ec92e0c9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 1428	4872	17360f7e478974170e678c862f2055162d89bb7b8e5be36f4a08873ec92e0c9f.exe	84
PID 4872 wrote to memory of 1428	4872	17360f7e478974170e678c862f2055162d89bb7b8e5be36f4a08873ec92e0c9f.exe	84
PID 4872 wrote to memory of 1428	4872	17360f7e478974170e678c862f2055162d89bb7b8e5be36f4a08873ec92e0c9f.exe	84
PID 1428 wrote to memory of 4108	1428	omsecor.exe	103
PID 1428 wrote to memory of 4108	1428	omsecor.exe	103
PID 1428 wrote to memory of 4108	1428	omsecor.exe	103
PID 4108 wrote to memory of 1644	4108	omsecor.exe	104
PID 4108 wrote to memory of 1644	4108	omsecor.exe	104
PID 4108 wrote to memory of 1644	4108	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\17360f7e478974170e678c862f2055162d89bb7b8e5be36f4a08873ec92e0c9f.exe
"C:\Users\Admin\AppData\Local\Temp\17360f7e478974170e678c862f2055162d89bb7b8e5be36f4a08873ec92e0c9f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
6fcac6f9f62f79381bd08ebb3d4b5433

SHA1
3b5e5d2699be4de573168866ff51fb42ad577930

SHA256
6e8997c701bd72bb289761f185e6a852a250aae95f107262777b85c4d98f9b19

SHA512
953cc5b9be72bf3abd3adfeb42d592651fb96a4c1a24a043733e610a674e43893aaf878495846e35c58d6c3b1e1d0920dac63ba3b327591baf59eb69627f8372

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
6cf2457d1ed3508b97412f694ef399f7

SHA1
2bef013201a89766480d54e714c1bde6a61a8cca

SHA256
c2a8559aaee120eb7b3002860244c1c4634cbb9ed6a40d365df35dfc1dcafa49

SHA512
5d90214573b34bfc914aba2c34515fcd03a585fc02f58e82c4214906e3f2266b15a7fcacc2f9cbca5f97f3842df883b2064c53064b74ffc65ae6613dd8079dbe

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
722a6c0b5c7102f6bf2cc19f386548d0

SHA1
ae561eb43007264f59ed9b49635845de14cb0a05

SHA256
1779dafc36adddc0d4e2e89d507a9227fe1c9ba9f36f21b851736e6da7afbd52

SHA512
46e415d8f72aaba11e3c06ed07314df219a84c380f3e445f12353e010990d85664b7ebcc8a0c27da0398fa50586f0f24121d6c3383d93531cad7cbc92b7e56d4

Download Submit