neconyd | 015eb74a40ed673508cbb498237fa63e48b4940fc6c32d3d5e5dd4598b2fc033

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

015eb74a40ed673508cbb498237fa63e48b4940fc6c32d3d5e5dd4598b2fc033.exe
Size

92KB
MD5

2be30265d272f74f1aca2612f0684f54
SHA1

a36210ff240468e9f2cc25a5848689629c917e83
SHA256

015eb74a40ed673508cbb498237fa63e48b4940fc6c32d3d5e5dd4598b2fc033
SHA512

645594d199256ebc93cd344a915d29b2fef503abe3ca2e8acedb7386a14b08ff4cc44dd4c0dc25c4de5867e742c8b935ea2ce76b6b4808873958c639ef40a2d7
SSDEEP

1536:Xd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5d:fdseIOyEZEyFjEOFqTiQm5l/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3984	omsecor.exe
4808	omsecor.exe
1560	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	015eb74a40ed673508cbb498237fa63e48b4940fc6c32d3d5e5dd4598b2fc033.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 3984	212	015eb74a40ed673508cbb498237fa63e48b4940fc6c32d3d5e5dd4598b2fc033.exe	83
PID 212 wrote to memory of 3984	212	015eb74a40ed673508cbb498237fa63e48b4940fc6c32d3d5e5dd4598b2fc033.exe	83
PID 212 wrote to memory of 3984	212	015eb74a40ed673508cbb498237fa63e48b4940fc6c32d3d5e5dd4598b2fc033.exe	83
PID 3984 wrote to memory of 4808	3984	omsecor.exe	101
PID 3984 wrote to memory of 4808	3984	omsecor.exe	101
PID 3984 wrote to memory of 4808	3984	omsecor.exe	101
PID 4808 wrote to memory of 1560	4808	omsecor.exe	102
PID 4808 wrote to memory of 1560	4808	omsecor.exe	102
PID 4808 wrote to memory of 1560	4808	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\015eb74a40ed673508cbb498237fa63e48b4940fc6c32d3d5e5dd4598b2fc033.exe
"C:\Users\Admin\AppData\Local\Temp\015eb74a40ed673508cbb498237fa63e48b4940fc6c32d3d5e5dd4598b2fc033.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
3cc3dddf78d693cf1f89dcbfa1e6845a

SHA1
b71e5d7bbb3e29370dea355730dd5fa91ed5355b

SHA256
6c0d56d5efb0ede688f814694baf3c73eea60fb114087c0c663876255b8448b2

SHA512
6aab351e3fe97ca277ee42f79d2a684142271539b92618bcc921c8e1f10e768c108c8b1709c4b2bd348b194b090664be7dfe38eada7e6631009a3f5d1b8ac293

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
ba65bb96fddb219e2d3a4c102a0004af

SHA1
c472ba2226537accd3e2f18d05204216dc4d7db1

SHA256
eeb135b02a840d285641fe3bfa1f188c1e7c11d8d75c3b0516e52587a45bf13e

SHA512
a5764c6ae9ad2fad0b7afb5e58a16fd3f7cba73dfea53428a54ee86e413f1bd1a64a9d05a090f1e12c9aeb772a3af707966c0419f42c9caf7aedd92a1f73b9a1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
fd92357e92d75426f9a83bba8033db3b

SHA1
16d5f64d8a8718310b7e06108675b5936d8e55b2

SHA256
35ef9c0b871d607fc58169212a5ebe21076d8269ee6a921a5ea7f200eeb8eb3c

SHA512
aed2a14bf101bc96796f2ea536c7aa16dd8baba75a04e593ed16aa5c24e052ab71d74f744d486ebe9db145d3cd9b8c2bc59e5f1de8cff6b5f302df237b498295

Download Submit
memory/212-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/212-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1560-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1560-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3984-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3984-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3984-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4808-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4808-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download