neconyd | f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2025, 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe
Size

64KB
MD5

69f7cc6fd27e49643574afd0a282bbb8
SHA1

27fc663276af53968eee2628bd12596696200bfd
SHA256

f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f
SHA512

6e995f9342b251bfb45b9a883fb9f9842df6f7d6da0dfb6067b269e60c9f09d1390edc894385a679c1db8c22761ee357ced0d7f3c184bc3c0cc27ce3d484a477
SSDEEP

768:jMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAH:jbIvYvZEyFKF6N4yS+AQmZcl/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4460	omsecor.exe
3684	omsecor.exe
1628	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 4460	4088	f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe	84
PID 4088 wrote to memory of 4460	4088	f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe	84
PID 4088 wrote to memory of 4460	4088	f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe	84
PID 4460 wrote to memory of 3684	4460	omsecor.exe	89
PID 4460 wrote to memory of 3684	4460	omsecor.exe	89
PID 4460 wrote to memory of 3684	4460	omsecor.exe	89
PID 3684 wrote to memory of 1628	3684	omsecor.exe	90
PID 3684 wrote to memory of 1628	3684	omsecor.exe	90
PID 3684 wrote to memory of 1628	3684	omsecor.exe	90

C:\Users\Admin\AppData\Local\Temp\f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe
"C:\Users\Admin\AppData\Local\Temp\f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
4bbec540cab0a938c621bfe465a2dbad

SHA1
b823947ea25293997a27a82451526a9745e94a8d

SHA256
5c67466805d342adfa051c50eb9e273e7c72bb97ff0a9d4dd1e564f36bda550c

SHA512
da77f195d926de48fb761c0d931ea2fc9d1a0c60bd25f7160448d4baa3ca1c6027d37a0e2ffe3e35553fcba682d874ff0869d5ef23eb89a443fb53d87c7dff9a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
bbd228adbe5d52b27549643a21bcc571

SHA1
044e4598c888ca270ba929f568cd892a7ae89362

SHA256
ec6c28bc8384d6afaf21a20e86c72a66745d69cc576f93c0876dc26245376653

SHA512
4ec61c76e627e1bfebbc39e3e4e82ecd98869a3bf0747610659100b57fa555123b5053fa7711bed8e9f15678e786ae751cbfe8a376505f78552424128a0dcbc8

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
0de0d56c0fdd27bcc420db71f6f9e260

SHA1
07a388ea6f36743819425421e5d6c5e3c3312c4a

SHA256
6eb3134c729206e0df140f7fffd3b26bfd35122d33aabd68c403f43ce1d56a46

SHA512
6c74464cafb1d28197655536b9e55eb046cbe5ba291784625b387ea2933119bf3d2aa573b1df79b909c409f7e0e5037270add7b5ea5eee97023a1cd5f6099718

Download Submit