neconyd | 000f38e22772063ed680321ab8a9e7038e26b19bc0384c2b82c25abf9133c4c9

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000f38e22772063ed680321ab8a9e7038e26b19bc0384c2b82c25abf9133c4c9.exe
Size

80KB
MD5

0f2102dfd101497bf1c1427f0add67b4
SHA1

c75a668a75d7f06772c4e2698b8e4b4e2b270af5
SHA256

000f38e22772063ed680321ab8a9e7038e26b19bc0384c2b82c25abf9133c4c9
SHA512

aeb902bf9c67e5f76a5202a1b7d799fa67615e5031a5721f15a0fcabd9494f775282cf14ecd0be06d507654197bf5c00ef0680dc6f6a78830bb1e9ae98b5cd0a
SSDEEP

1536:ud9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzL:2dseIOMEZEyFjEOFqTiQmOl/5xPvwP

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
440	omsecor.exe
2492	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000f38e22772063ed680321ab8a9e7038e26b19bc0384c2b82c25abf9133c4c9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 440	1028	000f38e22772063ed680321ab8a9e7038e26b19bc0384c2b82c25abf9133c4c9.exe	83
PID 1028 wrote to memory of 440	1028	000f38e22772063ed680321ab8a9e7038e26b19bc0384c2b82c25abf9133c4c9.exe	83
PID 1028 wrote to memory of 440	1028	000f38e22772063ed680321ab8a9e7038e26b19bc0384c2b82c25abf9133c4c9.exe	83
PID 440 wrote to memory of 2492	440	omsecor.exe	101
PID 440 wrote to memory of 2492	440	omsecor.exe	101
PID 440 wrote to memory of 2492	440	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\000f38e22772063ed680321ab8a9e7038e26b19bc0384c2b82c25abf9133c4c9.exe
"C:\Users\Admin\AppData\Local\Temp\000f38e22772063ed680321ab8a9e7038e26b19bc0384c2b82c25abf9133c4c9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
0c2b460086c8226f3037983718c0b38d

SHA1
5d74513531b32806516fe67615e71d971b26205c

SHA256
d409a355651b94286b8cfc4754c99f57258d7603323f84224abdabffa7e409e0

SHA512
f17d0be436feb083f3ef33dc3c34334ac6e9ba4dfc411c24ef986deb41486751bb7a1b9efbf4ea729b79640cdc59a87808fad1fdedf2ffc9ca266c2867bb5bd9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
e327198f1e8e52604a69a1e1f80828d2

SHA1
9a60dff7ed40dc554a012e63303abd4a98db48a3

SHA256
c5934cf56908351ead490ff7c2ca190ec339f81e5528897c61bbdf527e2c23b2

SHA512
69a622bd519ea30f5838c639ca745342e1200c61e99082d20a37446ee1686c12f69cd34b5d7d079dbb0ba5c2115954a1c2b08fadc4e454e03230ec1d3154f559

Download Submit