neconyd | 030f71ee2048d3c343437a7e3c7c8ba254db5360a464ca45a15aca1e5721011f

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

030f71ee2048d3c343437a7e3c7c8ba254db5360a464ca45a15aca1e5721011f.exe
Size

80KB
MD5

f5c2078a68ff7a7a43e9949440b72a38
SHA1

b79de6391e4d24d33878c3ae63a2cf56f526775b
SHA256

030f71ee2048d3c343437a7e3c7c8ba254db5360a464ca45a15aca1e5721011f
SHA512

217fb9c0ed282060a2ecc2e25d534ebd63e6ab7a0831b992bb429cb1c0dc67b735b4e60e5d898b36a934b1fdf496c85130bac43c671c5b1cd61f012b7ec02d6e
SSDEEP

1536:ed9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:GdseIOMEZEyFjEOFqTiQmOl/5xPvw3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1784	omsecor.exe
4836	omsecor.exe
3720	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	030f71ee2048d3c343437a7e3c7c8ba254db5360a464ca45a15aca1e5721011f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 1784	4004	030f71ee2048d3c343437a7e3c7c8ba254db5360a464ca45a15aca1e5721011f.exe	83
PID 4004 wrote to memory of 1784	4004	030f71ee2048d3c343437a7e3c7c8ba254db5360a464ca45a15aca1e5721011f.exe	83
PID 4004 wrote to memory of 1784	4004	030f71ee2048d3c343437a7e3c7c8ba254db5360a464ca45a15aca1e5721011f.exe	83
PID 1784 wrote to memory of 4836	1784	omsecor.exe	101
PID 1784 wrote to memory of 4836	1784	omsecor.exe	101
PID 1784 wrote to memory of 4836	1784	omsecor.exe	101
PID 4836 wrote to memory of 3720	4836	omsecor.exe	102
PID 4836 wrote to memory of 3720	4836	omsecor.exe	102
PID 4836 wrote to memory of 3720	4836	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\030f71ee2048d3c343437a7e3c7c8ba254db5360a464ca45a15aca1e5721011f.exe
"C:\Users\Admin\AppData\Local\Temp\030f71ee2048d3c343437a7e3c7c8ba254db5360a464ca45a15aca1e5721011f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
d9a6d53026f0d885103ae4e1992843a7

SHA1
8741603af69c1a334603f7eeaa10253c2891c1cb

SHA256
c8c7413bfba14f9b5f844c51a4d15cd9d26adea54f09b9db7cb4d0bfaf3ec47b

SHA512
310491c3723d9f83d1f1b965e6ab99d8e3515dce0c47575ea9003dd00521461ec6e3c5f79e3e83c30ad18614a2e65fc859f37489c162cee836c15015030b80f6

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
71a35b4ee5a6ea8459dc74603912f9c3

SHA1
ff7ada27bd90e53d1eaae7797b7e7382ad63bb9f

SHA256
53f51786f6db1394c0782fa1f085fb3b12089fc70d129cab38bb1b544819648b

SHA512
a590f2511838a436ee6ae681485f8f86552f7915b385212a7426ef8b844012b690f07f745c24c4d55005b1ad76057735d82189b9286477c830534da265ecb97b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
077f185479076d153d73910ff3285234

SHA1
2e4e891918b8ea752198b699c7106a8a946d335d

SHA256
704c0b7961ba495742642dee9858a1b000ad35127711c3e6ab5d8830e6473e86

SHA512
e48e5a4a51a6b0f708afbcabe929a4aab283e0eac47f58c7a8bbdf5460c68815b114b237c36c443f902ad4a3b0810dae4df6989c8872608265698ea7f4bba033

Download Submit