neconyd | c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe
Size

61KB
MD5

5abcdf729097346ef78f2f0de622e985
SHA1

f8c651f1f42bfdae19805eedb6a8ed143c51e99f
SHA256

c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730
SHA512

1751a20c427b07e6728fe761762fd6240a15725866fedee9e922948e5ae1dd04d16a136df9fc5a16061cd64734e2dd6eb52b1bd95f504bf5e950c9c18c77ce0b
SSDEEP

1536:kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZEl/5:cdseIOMEZEyFjEOFqTiQmCl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2440	omsecor.exe
860	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 2440	4144	c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe	81
PID 4144 wrote to memory of 2440	4144	c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe	81
PID 4144 wrote to memory of 2440	4144	c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe	81
PID 2440 wrote to memory of 860	2440	omsecor.exe	92
PID 2440 wrote to memory of 860	2440	omsecor.exe	92
PID 2440 wrote to memory of 860	2440	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe
"C:\Users\Admin\AppData\Local\Temp\c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
2d90c64f5359bab5e38188d2ead0e30e

SHA1
3637462a38a68d410997fabdd311a6da2583ebd3

SHA256
acdb6ffb5b73227e01134fcc7b7e6664dd5eff259f02a49e48dab614a1a25784

SHA512
f83f581528e690ffad673f2a649b43a68a192c93698ed446f8599480384a8c67d36d02b863c03b19dd6c9cb8599e357175aba2399203c70b1f7b38c5990e67e7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
fca9fed67126c308ca46d4e6c0894f2a

SHA1
96316bb4f43d7de598b6768e73ba124a14adaf6b

SHA256
95b205621b55f2d20786607c807122c6e692cba59f531b80df19c46f87a8d198

SHA512
73817ac52346cf9b95c857b24b7fc344e908f6853c403d278d32aa6895aae3d61e0c77f7dea259a4b5ed960475a47f4ecd51d2176c1f18f4a904ec041207052e

Download Submit