neconyd | 2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501

Analysis

max time kernel
104s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe
Size

72KB
MD5

5c12566295f602c03c2318bcdc536760
SHA1

84fe4be77d660a51cb092c658ef0405657b39a42
SHA256

2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501
SHA512

a533c773df89d316cd81b3df90de69e5149acde7db032bb0557dd3eff462ee7e8db3cd4ce073aa761918f568fe949ca06daf2dc41ce6b5513b855c513a2916b3
SSDEEP

1536:Kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/52119:KdseIOMEZEyFjEOFqTiQm5l/52119

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2980	omsecor.exe
3856	omsecor.exe
1180	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2980	2788	2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe	83
PID 2788 wrote to memory of 2980	2788	2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe	83
PID 2788 wrote to memory of 2980	2788	2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe	83
PID 2980 wrote to memory of 3856	2980	omsecor.exe	100
PID 2980 wrote to memory of 3856	2980	omsecor.exe	100
PID 2980 wrote to memory of 3856	2980	omsecor.exe	100
PID 3856 wrote to memory of 1180	3856	omsecor.exe	101
PID 3856 wrote to memory of 1180	3856	omsecor.exe	101
PID 3856 wrote to memory of 1180	3856	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe
"C:\Users\Admin\AppData\Local\Temp\2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
139b2cdd5a2851b2c10b16f8bd6fda70

SHA1
0dec2af097259af67d5a800061cb23e6d160b8ba

SHA256
edffce50bc2a70d8b58cf08d6d005531876d1c2969bc401efa84282f309d2a4b

SHA512
af9da924e7a302b4602683b0a2df06b13b42157d3abd73b57715fc5f90a2f75f6d672fabf29c55de8007d902e6c38c5263c24e967292e4e35643f0cae2aa93cf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
fda4a3c6263c4deb3df1fa09af567393

SHA1
cea78d308c3eeebc97aa1925b3730cf60eb4203c

SHA256
52097f71539dfe850b36828ed69f768d867ca29bcdf21349d20dc5a5c67abbda

SHA512
d25ff60db6987b5d41ff02387903af50dc5d86fd27394c38537b7763be93d860557a5ae2a15f994f874f7f9fdf18fab18df17e5af826e3024d15dc8eadd8d60b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
d9ea8cf79b4f45c4c5892fe045101fbf

SHA1
2056a1b43ce0936f2dd163c1b8ea36cf78b7d9b1

SHA256
1f1958236a0513ad5f9849c3ae23aa65f56d8d1a30811cfc0678506b7bb847b3

SHA512
df1110f9093abbea81262a5d026a0109554402af5a1b4469c3b3061703abb429bfe34566f4e0356bd97db68a22c28a095d4b81872b3735028fe7edfd1d7370cc

Download Submit