neconyd | 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bc

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
Size

72KB
MD5

6fe48d5c17a51a1e1cdc580929ecf150
SHA1

4a9ef6964981bc925abaa5b71acba37ef701dc63
SHA256

54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bc
SHA512

f6343572658a44f6df4ae82ac8bd0804130baeb5621e3cafa8c6388e52dce08709f569f7aebdb2887c601d0a05a6ae4875d66c9c650e271cfb7c20b6150a3451
SSDEEP

1536:Jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211v:JdseIOMEZEyFjEOFqTiQm5l/5211v

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1292	omsecor.exe
2388	omsecor.exe
2188	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 1292	4388	54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe	84
PID 4388 wrote to memory of 1292	4388	54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe	84
PID 4388 wrote to memory of 1292	4388	54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe	84
PID 1292 wrote to memory of 2388	1292	omsecor.exe	101
PID 1292 wrote to memory of 2388	1292	omsecor.exe	101
PID 1292 wrote to memory of 2388	1292	omsecor.exe	101
PID 2388 wrote to memory of 2188	2388	omsecor.exe	102
PID 2388 wrote to memory of 2188	2388	omsecor.exe	102
PID 2388 wrote to memory of 2188	2388	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
"C:\Users\Admin\AppData\Local\Temp\54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
152aed8fe9f4ce0c6ab30483a9069b09

SHA1
3892d1629722f5256c46e5f5fc2e979c802a2730

SHA256
33edbea54839273e6f70520079996e052cd5406e2ff842869e9dfe10cf55e3ec

SHA512
371ea7a38ddbdd57fb43021667093586854f35fb0be59b7a761fe466c5ebdeac9c6bff2af26c8b449729ba52f38d30bb90e4280429a3c5e9175117c5f2b4a965

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
decd33de0b63b67571294e4a88b2cefc

SHA1
cf09cb32e9b26448bafb5d3686da73ad5bfcd502

SHA256
43d3e2ee9057a7588fb9511092d35a44974c5c54fdf1ff6f23e1d0acfd3231a3

SHA512
0d1a5cec2485c107fd84d54fcab534d5288eacc2d5a7c3fad00adfe6a290538486b0263da315a1467217b8506f1887b3360ec114328d67f9eddec7c6562dc117

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
fabca953ed1e1057c8209202d93bae69

SHA1
6b7aad8e2ea47a8c8fe92c7cbc0a5b3c89070394

SHA256
d6eab3c9bcffe6601b19e750719793d1a59dd99219c1d04d54306fc225de5c91

SHA512
799acbbf4ccdd7449657816b62142272f162ee0fc0432056c7942e0b52021788ce6ec29ced0dbfb6e30adb26e2eacfe0646a46af5336e281963c56bd8808e0d3

Download Submit