neconyd | adb11ba0ca2f5e48586b37c5401790505be7709e7b14b0bdef089060b8e819f4

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adb11ba0ca2f5e48586b37c5401790505be7709e7b14b0bdef089060b8e819f4.exe
Size

61KB
MD5

cb1ef5802aa37c2f3c14232a68d36bc1
SHA1

b907b2e226ebb63f0c5f78b5d7cb010dc5a88b18
SHA256

adb11ba0ca2f5e48586b37c5401790505be7709e7b14b0bdef089060b8e819f4
SHA512

f90f00d74ce287f198eb4e9eedd0785de9ed11dec1ddaf7c1c50e78f938b9165ee2dfae846d2eaeb5b23ae9976d1007b9a9895ebd004f2543ac33fefac675c0c
SSDEEP

768:SMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:SbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4852	omsecor.exe
4788	omsecor.exe
3520	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb11ba0ca2f5e48586b37c5401790505be7709e7b14b0bdef089060b8e819f4.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4852	400	adb11ba0ca2f5e48586b37c5401790505be7709e7b14b0bdef089060b8e819f4.exe	88
PID 400 wrote to memory of 4852	400	adb11ba0ca2f5e48586b37c5401790505be7709e7b14b0bdef089060b8e819f4.exe	88
PID 400 wrote to memory of 4852	400	adb11ba0ca2f5e48586b37c5401790505be7709e7b14b0bdef089060b8e819f4.exe	88
PID 4852 wrote to memory of 4788	4852	omsecor.exe	108
PID 4852 wrote to memory of 4788	4852	omsecor.exe	108
PID 4852 wrote to memory of 4788	4852	omsecor.exe	108
PID 4788 wrote to memory of 3520	4788	omsecor.exe	109
PID 4788 wrote to memory of 3520	4788	omsecor.exe	109
PID 4788 wrote to memory of 3520	4788	omsecor.exe	109

C:\Users\Admin\AppData\Local\Temp\adb11ba0ca2f5e48586b37c5401790505be7709e7b14b0bdef089060b8e819f4.exe
"C:\Users\Admin\AppData\Local\Temp\adb11ba0ca2f5e48586b37c5401790505be7709e7b14b0bdef089060b8e819f4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
286ab98496a86ed7d6efa10606d0536f

SHA1
88da315c8f0bf34e018936de6e2d3a80e05d62d4

SHA256
37e221b1e0c5b95be81374b73ee1f63aa0382cd19fb7ce34a168e7cca3308f08

SHA512
7c37e04bd6f52323d8ac97c15c2d5f48a1616229e7f8179b3062d26da8e3cf8754351cb58c72e92a901312ad0925ff17f7a88f1cf69ae7fc040ea5b54a223e18

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
1e0c26dccbb847b14a3a0251045b0036

SHA1
1db2f940611fb51e44a8fbd0be62b7186a3fae85

SHA256
0b8288e7b33d5ecc48a80649e4fb027fe3831afd9962c2e3a839c121b781c3be

SHA512
dcca03fdd98cd794398bb8962ca8d569c6730a0a8210c1bae55ec4f2a2c3bf090840d08b3560c07bc96a6426cb818b2277c00689105fe9a5b8614b334e7b719f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
9773df44cf1f27f0f1ce8130117a1caa

SHA1
a5792a5ecccc895653fd9db0b691d2bc1ef011a9

SHA256
8278d612c29f970bfb09ce6cb37e2073626454c0b45424488c7124ccff37a44b

SHA512
4a5f0de3a775fd4ce8b88e76667398c74bcdcb4f03ca8a0ef2d37b2209d6c50b31167d18f89f1a19eb20ee8917e1dfc1533551394aa7fdbe0ba5c780f41b0305

Download Submit