neconyd | d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe
Size

65KB
MD5

e19a4eb6cfce9d24233437ea72bcc4b0
SHA1

b143d971c9ddde73ec18c347091572efaf610fd2
SHA256

d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653
SHA512

2de3c5f0b37cb42fd217ead99f013ffb4743cb588ab4119d9c1c2eec6e9242279ee8dbf651bd86d5dd73a16d336b2c96e6eb47a6d98692699e54ff8548006230
SSDEEP

1536:rd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:bdseIO+EZEyFjEOFqTiQmRHz

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2464	omsecor.exe
2596	omsecor.exe
1864	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 2464	708	d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe	83
PID 708 wrote to memory of 2464	708	d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe	83
PID 708 wrote to memory of 2464	708	d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe	83
PID 2464 wrote to memory of 2596	2464	omsecor.exe	100
PID 2464 wrote to memory of 2596	2464	omsecor.exe	100
PID 2464 wrote to memory of 2596	2464	omsecor.exe	100
PID 2596 wrote to memory of 1864	2596	omsecor.exe	101
PID 2596 wrote to memory of 1864	2596	omsecor.exe	101
PID 2596 wrote to memory of 1864	2596	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe
"C:\Users\Admin\AppData\Local\Temp\d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:708
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
481dc7fa07c932436c03871b5724d38f

SHA1
1ee5756472365b77798e060d44503e24390901d3

SHA256
92e2d4ffae91c506b78e3c5788d96d4cc3cd50926a2d02022e325dbe61a9246a

SHA512
4818770fb12993ab025bc2d3e7b5a0cca8d06c4d7e65cf43274a2b5e81dbf672f1524f8fc2548f9b880010a3efc3b817a5a1e46eaa16f7a0156801dbe307e247

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
2ef3d34e6d21d522b489c091d66f5fdf

SHA1
4c6701e34e3c59a81cec328ee9ac75a636484398

SHA256
cdf48f239b4e469ba9d68826ef34d6cbd5ca107f02e4b3574d490a44727befa3

SHA512
0b861b593f132b265e8603e72c30013142b9f899568a0d42457d6d022307aacff181cead8b66337b1a7871b0c8337e343618d4cd5949cdb71e58135fbf685e21

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
f40f6f649585a88075994f4c2a4f3881

SHA1
40c8bc2b7d3ef96ad165fc457d52ffb0c09b38e5

SHA256
136125bdd3cd5b4f33a10388c9dad484707bdb0604992ee025a3a2dd454e6444

SHA512
74b0ff0a4a5cd795cb2f8b3fbdf51bf23566b8e8d31252e8a75c5d08c5d02cfee63b62c7928ad07b2db107bff8fea63502f497c93828cac260867f21d790b02b

Download Submit
memory/708-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/708-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1864-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1864-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2464-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2464-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2464-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2596-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2596-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download