neconyd | 2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1

Analysis

max time kernel
114s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
Size

61KB
MD5

d8b6d1e5d8f4a0a2502cb88b05946362
SHA1

65266340274f3786fe7174758b488abd11b2cc77
SHA256

2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1
SHA512

af48816b149d55d60e851f2d6714e200d1a16808bad51c9be2c2f044b62a8be7564554c69f1478b487d7af87a8852c404aad78d22243b979a58d4e22f067cf72
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:kdseIOMEZEyFjEOFqTiQmil/5P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1144	omsecor.exe
4640	omsecor.exe
4520	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1144	1660	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe	82
PID 1660 wrote to memory of 1144	1660	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe	82
PID 1660 wrote to memory of 1144	1660	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe	82
PID 1144 wrote to memory of 4640	1144	omsecor.exe	92
PID 1144 wrote to memory of 4640	1144	omsecor.exe	92
PID 1144 wrote to memory of 4640	1144	omsecor.exe	92
PID 4640 wrote to memory of 4520	4640	omsecor.exe	93
PID 4640 wrote to memory of 4520	4640	omsecor.exe	93
PID 4640 wrote to memory of 4520	4640	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
"C:\Users\Admin\AppData\Local\Temp\2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
f03624ab93e3c0351fbe3245e5babfc3

SHA1
a124a3d00e256936253efce5ccc2958f9dcbf53b

SHA256
a8ba30c9512be2376b530824a52824f68f9ac7565f895d12acb395d255903ee2

SHA512
d18040422ebece599f962ccc658e37a9ba868dfc505dbdd323d3e31cf0163a009e3c3e101cd44bd076ef57e0f7e4ae083db26df7b29f89dac9b7b8d80b0c12e0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
5352975a664ecc85d9f610839f3cc3f1

SHA1
8d2818c9217ad3ebed0f005c84eb2015d73a6023

SHA256
4f7f4ebd2f55f2d1e3abff84adaf6618f8c99ffbe9b467e1caf1eac10ebaba9a

SHA512
979cd5a6b5b494bedf2dfeeef82bc7f22fb3060b1afc5f491139b4ee1c8b22702eb8672d831d640c0da81addbcea68c0ad1b32745b276561c02425395179fbc0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
ee90b600fd4adb3c2ec3871b46c50d14

SHA1
336f8545a461c135fe0280e93191ca30e495eb8f

SHA256
e4d6ba3603b484f3761c55367379860e51d5142a90b72e411ddc6be8339186a9

SHA512
8b56e4c315e4fa2d2b189715c73dab60ec4a12517dd9552840909d46bab60c1ff3cfe5229f2941a8007acdfd82740e2c0d36debb67698adfec012e33d8efe9dc

Download Submit