neconyd | a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe
Size

65KB
MD5

ad1b2166005f6267650b497d06a5daa0
SHA1

fcb349de5138a3f5c3a7a17785615ad25191d5f1
SHA256

a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3
SHA512

a8035e04437bbe2b6d249b9645f49ed79d994210bc25bf19dc1d059966bee2c448d32ab3c5c1b49416b8777ac4e892752510ef2531272ead69d2e8ebd805f5b0
SSDEEP

1536:Ud9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:sdseIO+EZEyFjEOFqTiQmRHzl

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
5064	omsecor.exe
1824	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 5064	4416	a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe	82
PID 4416 wrote to memory of 5064	4416	a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe	82
PID 4416 wrote to memory of 5064	4416	a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe	82
PID 5064 wrote to memory of 1824	5064	omsecor.exe	92
PID 5064 wrote to memory of 1824	5064	omsecor.exe	92
PID 5064 wrote to memory of 1824	5064	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe
"C:\Users\Admin\AppData\Local\Temp\a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
a7e1a9286af24893128c0761c66bd839

SHA1
89f00c3d9347a566bae5aafa9631040e5bfcee10

SHA256
229b04c59d94217a56b8e4dcae5ba03779d702a457d96db908dece60cd3c67fe

SHA512
7c0d22ee74ccac95af29dceff72fa6b2f096473f7ad0f951f18c7036393d1f318016bcc215dd0b613fefccb2c1bc68d630c990d46d038c64ece6bbb4e500568a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
419a979eafd697a52c7ccb4fa76fc687

SHA1
3a649986b4f2cc10f2bf959c1974b49ecb92a356

SHA256
d4123d15fb4db20e5134528329ce15613d64a19708db037901872b6fb5c4579b

SHA512
222d9c109efce6e0e4970e4cac57725f8f9f737cb141d6a77595d50de691f94b46026c62f5a6b1999130da1823b2807314e9ed197a971a19dca8fff012d28e61

Download Submit
memory/1824-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1824-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4416-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4416-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download