neconyd | 4ba8cf6ca6acbffee2c6d8a3293a57e8053f907adab853aac86af2295d2a5eda

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ba8cf6ca6acbffee2c6d8a3293a57e8053f907adab853aac86af2295d2a5edaN.exe
Size

61KB
MD5

7838514e3189111da1d47ed6422e0ef0
SHA1

af409beeb187e04417b161e7e187feb94fd480ac
SHA256

4ba8cf6ca6acbffee2c6d8a3293a57e8053f907adab853aac86af2295d2a5eda
SHA512

fe553727ed52dfcfede0d3d7125cc5ffed473a1832d67fb34768b99ad977dd95a256292b178c7dc2d82411368a701c32e9658fefa31c32230d78ed2a1c922884
SSDEEP

1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/5n:7dseIOMEZEyFjEOFqTiQmTl/5n

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2544	omsecor.exe
756	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ba8cf6ca6acbffee2c6d8a3293a57e8053f907adab853aac86af2295d2a5edaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2544	1456	4ba8cf6ca6acbffee2c6d8a3293a57e8053f907adab853aac86af2295d2a5edaN.exe	83
PID 1456 wrote to memory of 2544	1456	4ba8cf6ca6acbffee2c6d8a3293a57e8053f907adab853aac86af2295d2a5edaN.exe	83
PID 1456 wrote to memory of 2544	1456	4ba8cf6ca6acbffee2c6d8a3293a57e8053f907adab853aac86af2295d2a5edaN.exe	83
PID 2544 wrote to memory of 756	2544	omsecor.exe	101
PID 2544 wrote to memory of 756	2544	omsecor.exe	101
PID 2544 wrote to memory of 756	2544	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\4ba8cf6ca6acbffee2c6d8a3293a57e8053f907adab853aac86af2295d2a5edaN.exe
"C:\Users\Admin\AppData\Local\Temp\4ba8cf6ca6acbffee2c6d8a3293a57e8053f907adab853aac86af2295d2a5edaN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
ed5942db0a4e9dc8d29337e35f87b935

SHA1
932be1b833e47181be1a586c6bef0c53998af716

SHA256
5106bc9c028ac5c59d7039f331f65f996697c507ab46baa284bf7b76976d2037

SHA512
63cfbc091191a42ccd8d660f82dd7789b8f826a436e2444d3f25614572d8f65dc64411c706869dd2a5f5a66ab97472ff34d13a36b13896c268b0011c4891d2a1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
283c359c12201f41e79a8f558740a365

SHA1
4818b85b633178fb5263b853f581fd44d3c88d00

SHA256
44e3f789a3d7fb3d435a5070a6e43ab1377a0a86b825677726a4290c8314efaf

SHA512
be5c599a4a79641335474f07aa8c74923b8a8670863b0f52d491e06c8c668468ecd21788b7ad20d162b15c4712d73d93176dad5b08e1449113903931f5809ca1

Download Submit