neconyd | f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2025, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe
Size

80KB
MD5

ad4435bb25f4a761455cf19cbf6b59cb
SHA1

249e6d126522149a5b5d6c2fa1c788fed38943e0
SHA256

f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a
SHA512

d9f9229dcbf3bc5149028280a0c764538225bb9e83a3f52402def65293b2d2802b6eb8b859fe2487113b03662d323455a52f74bff50040ff59c382ccaa5dff0b
SSDEEP

1536:wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzp:wdseIOMEZEyFjEOFqTiQmOl/5xPvw1

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4432	omsecor.exe
3232	omsecor.exe
3160	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 4432	2276	f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe	83
PID 2276 wrote to memory of 4432	2276	f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe	83
PID 2276 wrote to memory of 4432	2276	f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe	83
PID 4432 wrote to memory of 3232	4432	omsecor.exe	99
PID 4432 wrote to memory of 3232	4432	omsecor.exe	99
PID 4432 wrote to memory of 3232	4432	omsecor.exe	99
PID 3232 wrote to memory of 3160	3232	omsecor.exe	100
PID 3232 wrote to memory of 3160	3232	omsecor.exe	100
PID 3232 wrote to memory of 3160	3232	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe
"C:\Users\Admin\AppData\Local\Temp\f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
baccce52005058c533d8afacbafcaaab

SHA1
db4caf5c60ea844842ff6be68723d9e8f390969f

SHA256
3dab5e36682bf7ed8876080b20f9232b43efcf0051b4612a93c7bd43a804a9c5

SHA512
5f49f56e829b760bdef7d3bdf25fae7f2ed1684cc273cec872a377668e928e47006608321812170ea3e9b2aa6f5484be5d17c4fb48685a3c1166fd2a69942c60

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
35e41059f24b43b24796a6bbee1700c8

SHA1
ca179cb5f7eacc1352be79b5f85abdba1651052f

SHA256
09931456a13261ba5211a89c8c418dc2a705037219d5e7dbbf9f476fe96ef9f2

SHA512
92159a744ea8f97dce8a221a6ed489d0896c4aa5cf4a282a4f492de7c935ad2d192efc0de3c959468f08da937559716d7509c95736b733c1926a2401baffed88

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
d0524761d07b233b488e03798895a4a6

SHA1
9473b1ee5b2e4fc699c3359841410fa3ea187b53

SHA256
a923c5365830231cade0a6d854e41f3431c15fb63ea8a4edc7df98b78a967cd6

SHA512
e6cb773e4d0dc553239920a6fadf37e34ef15f964fd5e5c95f0097cf0534b83ebe5d2be1e9de43933d7c7a076c6834b250c875442dd6845c6c00538596c829cf

Download Submit