neconyd | 18d26e9639de971412568c7e4334220161404d289169ef51a9edbda7828e4ac8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d26e9639de971412568c7e4334220161404d289169ef51a9edbda7828e4ac8.exe
Size

80KB
MD5

74d1bab26ffb89f754807e40798a6736
SHA1

02935a3921f1a6df1db84287039cb276b8484b25
SHA256

18d26e9639de971412568c7e4334220161404d289169ef51a9edbda7828e4ac8
SHA512

b7ea77639895043898e636c64134aa8905a7a8e57a4ec1f33e74f903400aab9af852e693c591cf4c06e528cb2f73671612eb644e1ddf4e4909460a8c0fd1748a
SSDEEP

1536:Qd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzr:QdseIOMEZEyFjEOFqTiQmOl/5xPvwv

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4040	omsecor.exe
4732	omsecor.exe
1948	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18d26e9639de971412568c7e4334220161404d289169ef51a9edbda7828e4ac8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4040	5036	18d26e9639de971412568c7e4334220161404d289169ef51a9edbda7828e4ac8.exe	85
PID 5036 wrote to memory of 4040	5036	18d26e9639de971412568c7e4334220161404d289169ef51a9edbda7828e4ac8.exe	85
PID 5036 wrote to memory of 4040	5036	18d26e9639de971412568c7e4334220161404d289169ef51a9edbda7828e4ac8.exe	85
PID 4040 wrote to memory of 4732	4040	omsecor.exe	109
PID 4040 wrote to memory of 4732	4040	omsecor.exe	109
PID 4040 wrote to memory of 4732	4040	omsecor.exe	109
PID 4732 wrote to memory of 1948	4732	omsecor.exe	110
PID 4732 wrote to memory of 1948	4732	omsecor.exe	110
PID 4732 wrote to memory of 1948	4732	omsecor.exe	110

C:\Users\Admin\AppData\Local\Temp\18d26e9639de971412568c7e4334220161404d289169ef51a9edbda7828e4ac8.exe
"C:\Users\Admin\AppData\Local\Temp\18d26e9639de971412568c7e4334220161404d289169ef51a9edbda7828e4ac8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
3ae81b8fdeae6fc085cca8f6a4f4f8c3

SHA1
9d6bf7d82afd3bb874faef7930d8cd7cb76e062e

SHA256
ca799954cd606bb799fa00b4b44cb5c6deee153828b1ac9006182886a64dd635

SHA512
8521369a1a4d4deb47eef42bad62b8062266c6e7915d753b82b49b09ba91c0598d16bfa34c06a35bc8c017dd2181008d1473cc6b95530b958b0e83b1fe0763ab

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
524586543a4152a9da786a662d7a9af7

SHA1
9d47400e3b57465a7fbd4f83b15d01b41e28c339

SHA256
6046a1f9d8aa71b8dbc6fff0a026b259acc5d3e74ffb6824fe50d3f814eaf895

SHA512
a2df81929f5274828dfe53a7ba612a33f87d1a4d9d856191800e962cac36288c8d67534ab86023478f00354023f36f2d384c71d4088a0427af1e7c50ed62d37c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
27613ab18697e9010088ae341c740ca4

SHA1
72205d35c2572844cb0ca81652225645c24e81ee

SHA256
14d03d2b5ecf5331af7e9d28787891230502fa731ff4298b9d303b93d2204608

SHA512
60766322b96cdf8bafdd67b0f7ffa5ca27a58674e42b235bb18bcffd8b0c4a306a504e7effb89c92c748d1ab04e7bf2ed738c5fc6b99db96a3964147353f0ffe

Download Submit