neconyd | b21e8df9279fc8634113987252f62ff0235306b01931c99767140b8ae8a7f01b

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b21e8df9279fc8634113987252f62ff0235306b01931c99767140b8ae8a7f01bN.exe
Size

80KB
MD5

9bc80822b028fff58ee08ec2ea934270
SHA1

f9bd989066a859ecf53dc2347b892e18691564c2
SHA256

b21e8df9279fc8634113987252f62ff0235306b01931c99767140b8ae8a7f01b
SHA512

d6ae05288d4721460a4676126dc55548427cf95071a6412ce767985b61ce429ae3d1780b46063f6853c81de905ef03c573d0d65775c13a8029072822a850fb08
SSDEEP

1536:ud9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzJ:2dseIOMEZEyFjEOFqTiQmOl/5xPvwV

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2404	omsecor.exe
2208	omsecor.exe
376	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b21e8df9279fc8634113987252f62ff0235306b01931c99767140b8ae8a7f01bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 2404	872	b21e8df9279fc8634113987252f62ff0235306b01931c99767140b8ae8a7f01bN.exe	83
PID 872 wrote to memory of 2404	872	b21e8df9279fc8634113987252f62ff0235306b01931c99767140b8ae8a7f01bN.exe	83
PID 872 wrote to memory of 2404	872	b21e8df9279fc8634113987252f62ff0235306b01931c99767140b8ae8a7f01bN.exe	83
PID 2404 wrote to memory of 2208	2404	omsecor.exe	101
PID 2404 wrote to memory of 2208	2404	omsecor.exe	101
PID 2404 wrote to memory of 2208	2404	omsecor.exe	101
PID 2208 wrote to memory of 376	2208	omsecor.exe	102
PID 2208 wrote to memory of 376	2208	omsecor.exe	102
PID 2208 wrote to memory of 376	2208	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\b21e8df9279fc8634113987252f62ff0235306b01931c99767140b8ae8a7f01bN.exe
"C:\Users\Admin\AppData\Local\Temp\b21e8df9279fc8634113987252f62ff0235306b01931c99767140b8ae8a7f01bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
ce75628c13206e1032065616bee1ffa3

SHA1
1461dd24cef78046d1b03d6f37e496f33ae1c1c9

SHA256
2934a1d7e01ad43f9caa050a5827df41a9161a9baa51cbb2d64f86bf863f2e87

SHA512
3d0cda0ac86891c14fea06abc6f6794636c736a9b6b333530b2293f4e92d36db42dbbbf283d404e84cc3ebde69f0a0d0724d4f09edfe57ffcf67786cf9e76895

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
af2cf09c6199bf9f26ce46bf479d429c

SHA1
cf43a541262520e1202bcf17dba694a088d17cb2

SHA256
dda355d805d9fa7d56fbcb14e26417239e14e7ce7395be5da20b038c257be8c6

SHA512
faed24ca0bb97c8f06a4880b74242c053bb3034d049b3bbdef2822743a2e8d0431a2dfe96834d39f42d8637faf6290e67fbf2a2376da3986656f414be822621b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
2ff3a1f53130d0f8bbb8e76f3673c572

SHA1
0a69f6603de1ce62d7c9418e37c8dc4a4d394efc

SHA256
4260aa5586fcc823704c1d909a52e49734d242a0bb984518ad97d03a43d76c8d

SHA512
430215c03889dd260d236e11b2866be11973f05fad35eed0b65a71179bc7835a110b978cdcb0d96c1b805d3ce16d1167d94d9ee417ec50bb6990b3791f80d038

Download Submit