neconyd | 8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe
Size

61KB
MD5

d95ce442176fb8bb198dd1be4850d7c8
SHA1

b739fdff2b4a1c04c8dddef6d6ae010f74ec57be
SHA256

8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf
SHA512

6815e5f6d516fab8749483b19551ba628bada52add3c46da8ce79423e3398ad5bdc3a4731aa50237d3ceaefee7b1d1162fff06d1c4b2138b7ac145f2e0e6ffa1
SSDEEP

1536:Gd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:+dseIOMEZEyFjEOFqTiQmFl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4724	omsecor.exe
316	omsecor.exe
2580	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 4724	2876	8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe	85
PID 2876 wrote to memory of 4724	2876	8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe	85
PID 2876 wrote to memory of 4724	2876	8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe	85
PID 4724 wrote to memory of 316	4724	omsecor.exe	92
PID 4724 wrote to memory of 316	4724	omsecor.exe	92
PID 4724 wrote to memory of 316	4724	omsecor.exe	92
PID 316 wrote to memory of 2580	316	omsecor.exe	93
PID 316 wrote to memory of 2580	316	omsecor.exe	93
PID 316 wrote to memory of 2580	316	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe
"C:\Users\Admin\AppData\Local\Temp\8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4aa4bb0286bd32939c77caf88dbd185b

SHA1
efe8e2498051e1cd5916c13848aa32ae8be521fd

SHA256
c7c64f063a0f38d4eebcc6dd1f1360ff1107746806588a33d68ec122c9e2f697

SHA512
ac9ced588f22edf4ac9ec7d573ff40542a78830406d9f45b863792145a933e8dc49b29fcfe79fdb68ec7dd19b82b729ca1925ebc922e5177fe107b4cf74dbac3

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
377307ce6f0546c8dcebde1e9145f03e

SHA1
024735238b301166c448f7a8ef1fe27295d25112

SHA256
4ae3e1d5d05e44b7522545228b9b6cf9922e83c67fec778ffc70ca8e6f3a03eb

SHA512
09b1251a30ab8fcee113614f2110525ce7ae8eaf0d1c924357e9353456a54572f4a71682bf5a77cd828af19ad35640bcab8f0c4083d10be5e4ee68addab78e74

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
1e800997f05c867160ada4b677d8932e

SHA1
8178f0501aef53a02b05878ac91870b3ca651a63

SHA256
03b5f9f84595047084b9ea98a7d480df88366973785c223391294ae9dde1d7a5

SHA512
e032c96a885bb243503e68ed4123fe43c42c16103299b243bcc6364fdb36ef149923eee08a4c3cb6d67b1e50d02a6e7677a1c7e460df69d9a2815b117a54698e

Download Submit