neconyd | 469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe
Size

80KB
MD5

2209e6abb473b890cb413f8a02d969e8
SHA1

370459728393e67bb3416dd7f418613699b9ab92
SHA256

469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c
SHA512

4dcd5aca3fe607a66b4628ca550a6dd697150b81f24a58368855662e99ffc29419b33766a2c98b89d8c629803fbefd4054f3015af52f15ed34a1f3341e7a4a86
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:kdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3200	omsecor.exe
916	omsecor.exe
4076	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3200	3396	469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe	83
PID 3396 wrote to memory of 3200	3396	469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe	83
PID 3396 wrote to memory of 3200	3396	469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe	83
PID 3200 wrote to memory of 916	3200	omsecor.exe	99
PID 3200 wrote to memory of 916	3200	omsecor.exe	99
PID 3200 wrote to memory of 916	3200	omsecor.exe	99
PID 916 wrote to memory of 4076	916	omsecor.exe	100
PID 916 wrote to memory of 4076	916	omsecor.exe	100
PID 916 wrote to memory of 4076	916	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe
"C:\Users\Admin\AppData\Local\Temp\469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
602e95ced71537c48739b3ed15454f0c

SHA1
896209ab66a44ac2c67384967fcbcc06416514e1

SHA256
03b675f151d45feb20e433813ad8b54546d02a8d3a7711fb9454ea32b56f9984

SHA512
6a518bb05c6c7a10f8d4641494feed8c88bdc613fe28eea831b8bca96d535ccbf615d02eeab1d728069378dcbbc8ce99c809086e3934e24291a6a923d23c6bd2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
07d9b0ecaf47317cc30b4941dbe2c44e

SHA1
ca59db74b49e14215c01e1bf3a396626018a261e

SHA256
3a58477e0b10e1fe4940226333100a673c6aa034753d5cefbb920046c9315c3d

SHA512
3ee698e638bcec592ca2402e778bd262324b2cd32e59cbc7371a8d8727bfe16af255c81a72a094393a85e2f1ebd688ef63e95e02ed931754e86e0fcc286ac1be

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
34b5158f48c2dc9618618e7850caa4de

SHA1
f84b71fd4d5d1626379c722af717a354958cd8d6

SHA256
14aa461efb2f9fbe8d5f26f56fe1e38c067b8735c7e5ded18c36357233fa0c85

SHA512
531eba2bf6769abc521288158bba743e331e2b1db64dda9a0df54cd798a729a8cac5709fa8668378d34fdde0a863468e64859d68200012f15b416157ad7faad6

Download Submit