neconyd | 1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
Size

71KB
MD5

04f6650d9b17bcc0c0409cf712c6b0e5
SHA1

7753d3937251fb6b657fae9eb7efe221e3057a5d
SHA256

1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669
SHA512

bc7c7decc774484c3d59513e85e181287efeae2fe2b22ee45b3b85961a03957fb762928e07385d786a71c5945e2b46bccc2f1c574cc1c6ee2a92f18f68b2e564
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHV:XdseIOMEZEyFjEOFqTiQmQDHIbHV

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
1060	omsecor.exe
3448	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1060	2308	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe	83
PID 2308 wrote to memory of 1060	2308	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe	83
PID 2308 wrote to memory of 1060	2308	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe	83
PID 1060 wrote to memory of 3448	1060	omsecor.exe	102
PID 1060 wrote to memory of 3448	1060	omsecor.exe	102
PID 1060 wrote to memory of 3448	1060	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
"C:\Users\Admin\AppData\Local\Temp\1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
9543c45a106cc2aecb703a8e4e944826

SHA1
ee4807bb2d01fb9277609da329de7e0481a22501

SHA256
c69a99fcd240811ce7d5027e24e39d48257bd9f9063b4e164eae544d546f9f8b

SHA512
77d75a0413e40a98affe5b73fcac617d38ba8013979f463e2d0b6e3a64428a2215cf7220777834d945aa4c459a6d7e1a67ed496755f562fbdc167f60c9ebfd1e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
8939aef631b8de9aec79ef18249a0cc6

SHA1
08185dca7c1387f8831f78ffe1a031a2e6c39b19

SHA256
5c4d1ebbd5989980cd67f4a320723e111764f7ed02cac8637918e1589ac49fb3

SHA512
b8fa39b13cc61dbb6c244c7832c3b86d57d4852639d6e5d6ad44db1060fbab9bdaca00567502b115039c341a23cdf513f604c0a98abe5c4db336512131432206

Download Submit
memory/1060-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1060-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1060-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2308-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2308-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3448-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3448-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download