neconyd | 5777dfcdf4a1aeb13d44e73ceca5cb2f5ccd6472a8bc17f5947cb4037a517b55

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2025, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5777dfcdf4a1aeb13d44e73ceca5cb2f5ccd6472a8bc17f5947cb4037a517b55N.exe
Size

33KB
MD5

043c87cf6dfe98c93427a34e7b174a60
SHA1

fcd7af16157e7870fe6895e3eea40b1f5533f9d9
SHA256

5777dfcdf4a1aeb13d44e73ceca5cb2f5ccd6472a8bc17f5947cb4037a517b55
SHA512

0cf64ef8742eea8ae91d991361f8b66d126144b026837a23183c05956cc37a97093a0f28e58edb2b003aad9075fb92a9bea3b88a70072a1d0a495c122125ed78
SSDEEP

768:XfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:XfVRztyHo8QNHTk0qE5fslvN/956q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4868	omsecor.exe
4416	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5777dfcdf4a1aeb13d44e73ceca5cb2f5ccd6472a8bc17f5947cb4037a517b55N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 4868	2352	5777dfcdf4a1aeb13d44e73ceca5cb2f5ccd6472a8bc17f5947cb4037a517b55N.exe	82
PID 2352 wrote to memory of 4868	2352	5777dfcdf4a1aeb13d44e73ceca5cb2f5ccd6472a8bc17f5947cb4037a517b55N.exe	82
PID 2352 wrote to memory of 4868	2352	5777dfcdf4a1aeb13d44e73ceca5cb2f5ccd6472a8bc17f5947cb4037a517b55N.exe	82
PID 4868 wrote to memory of 4416	4868	omsecor.exe	92
PID 4868 wrote to memory of 4416	4868	omsecor.exe	92
PID 4868 wrote to memory of 4416	4868	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\5777dfcdf4a1aeb13d44e73ceca5cb2f5ccd6472a8bc17f5947cb4037a517b55N.exe
"C:\Users\Admin\AppData\Local\Temp\5777dfcdf4a1aeb13d44e73ceca5cb2f5ccd6472a8bc17f5947cb4037a517b55N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
4487a353ab7ff913bead9834c26afc89

SHA1
129ebced6028fae762df3cf06a476dd46f2c8e24

SHA256
64f920db31408a56f111cbc96b19231bdd848ada32549661dc0c9416f679ad50

SHA512
93a09de99eecd0a89c3e7c937c787e5243b6d83ce2c9e1272f8039c9a8e7b52f03d08c0fe37d2c92b36a0251c486aff478a56a4c3411adf2e0b1f5072c551a38

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
e34b23a5c50047322b47e190f8ccc7cf

SHA1
fd7092fd53167003a08cea99e655222364cc2d18

SHA256
1201209edb6525897dca83646256460036232e84831f0cbd400cfb754f58896b

SHA512
6fd0edad14c317a23d66b011a79f042c5a6dac9fdd2f40f28552286465140d37b1b5af3a602b73e4835a354021d757b141c3a51a6a4cbaaad3797ce335ef743c

Download Submit
memory/2352-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2352-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4416-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4416-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4868-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4868-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4868-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4868-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4868-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4868-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download