neconyd | e4158ffbf04657a3c0b2533d8b44d17464b61d12ce24eca4857ee2d1951517d2

Analysis

max time kernel
116s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4158ffbf04657a3c0b2533d8b44d17464b61d12ce24eca4857ee2d1951517d2N.exe
Size

72KB
MD5

46dce827d6810b68dcff36ff3cf261b0
SHA1

409590ee15eed0de8ddba0cd64b5d0ab732bf9cd
SHA256

e4158ffbf04657a3c0b2533d8b44d17464b61d12ce24eca4857ee2d1951517d2
SHA512

cd1a3481d897f44942d358bf0c92333813c0f5667deaf899bebf105ae26ca56a3a3d197b2d95fae160b2339f6d085e4d5397086799fab176aca91cdf6fbf5bbd
SSDEEP

768:NMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:NbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
900	omsecor.exe
4916	omsecor.exe
3580	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4158ffbf04657a3c0b2533d8b44d17464b61d12ce24eca4857ee2d1951517d2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 900	3156	e4158ffbf04657a3c0b2533d8b44d17464b61d12ce24eca4857ee2d1951517d2N.exe	82
PID 3156 wrote to memory of 900	3156	e4158ffbf04657a3c0b2533d8b44d17464b61d12ce24eca4857ee2d1951517d2N.exe	82
PID 3156 wrote to memory of 900	3156	e4158ffbf04657a3c0b2533d8b44d17464b61d12ce24eca4857ee2d1951517d2N.exe	82
PID 900 wrote to memory of 4916	900	omsecor.exe	92
PID 900 wrote to memory of 4916	900	omsecor.exe	92
PID 900 wrote to memory of 4916	900	omsecor.exe	92
PID 4916 wrote to memory of 3580	4916	omsecor.exe	93
PID 4916 wrote to memory of 3580	4916	omsecor.exe	93
PID 4916 wrote to memory of 3580	4916	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\e4158ffbf04657a3c0b2533d8b44d17464b61d12ce24eca4857ee2d1951517d2N.exe
"C:\Users\Admin\AppData\Local\Temp\e4158ffbf04657a3c0b2533d8b44d17464b61d12ce24eca4857ee2d1951517d2N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
777e4a595b853f7c39225c88dd12490a

SHA1
93a2b57269709dcb101ee781b6b89e124ed446f1

SHA256
a7e424c89ad3486899f1bc47406f65a6dc20b7b94e9c95fdbfebe8fcbdf42aa7

SHA512
250cf5bcc1661fcda6b6b274d6ae3f0274b0db8aef82854f77715ff6b964eb626d4674308b9510828af227790fcf2641bd003033545d302730a726dfbc7e39ab

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
14897a8e25aaa4810eb67f98d3fff260

SHA1
eba7ea24e6a5c202c0fecf600391a2d843a68be1

SHA256
6df1d51e358e9632750957bef556ca0a124c44622d1d97b8c4f5a94886b80cfa

SHA512
f7cf07f3f271efc14d0b32a3c52dadbc0d2c39cda191dff7b00fab3a0184f9d4c75178f36683645c620efc7a7031f4605685a3b12a48adfd58e3555afea9124b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
9827d45c9e58dc0a07680ecb9cac3535

SHA1
a526504f5f186f654f3db31c7d9d873cbab8ebe9

SHA256
2900a4ac9719815467f60c137fa205718329b11594dd33cc70ca1f16d6214e25

SHA512
babd4cdbef2d2fa16ac68c3d3483637cd438377dfec2a7ea6c72b2d6dc0f02720c87c84a73c3e01969f82137ab2193b139dfd0034f7bbe70eb67788694b28176

Download Submit