neconyd | 958ec3fb87126ca4ed9bf1a920231d345682456c5dc084b235fb23a04893b5be

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958ec3fb87126ca4ed9bf1a920231d345682456c5dc084b235fb23a04893b5beN.exe
Size

80KB
MD5

d7ee3342e8fb2ff91b43d8273eb65f00
SHA1

b274578007da1aba93a09eb6332e2f9803bc3cb1
SHA256

958ec3fb87126ca4ed9bf1a920231d345682456c5dc084b235fb23a04893b5be
SHA512

b98f73b23aeb657ae774a66a4f76a4cb8682f2f9a13c3c830cb536eb9955bebb8e097dbdc6be4e596094400bf5cbd04589882399612b79e35e18ebc41dbb3b5b
SSDEEP

768:6fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:6fbIvYvZEyFKF6N4yS+AQmZTl/5S

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2356	omsecor.exe
220	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	958ec3fb87126ca4ed9bf1a920231d345682456c5dc084b235fb23a04893b5beN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 2356	3252	958ec3fb87126ca4ed9bf1a920231d345682456c5dc084b235fb23a04893b5beN.exe	83
PID 3252 wrote to memory of 2356	3252	958ec3fb87126ca4ed9bf1a920231d345682456c5dc084b235fb23a04893b5beN.exe	83
PID 3252 wrote to memory of 2356	3252	958ec3fb87126ca4ed9bf1a920231d345682456c5dc084b235fb23a04893b5beN.exe	83
PID 2356 wrote to memory of 220	2356	omsecor.exe	100
PID 2356 wrote to memory of 220	2356	omsecor.exe	100
PID 2356 wrote to memory of 220	2356	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\958ec3fb87126ca4ed9bf1a920231d345682456c5dc084b235fb23a04893b5beN.exe
"C:\Users\Admin\AppData\Local\Temp\958ec3fb87126ca4ed9bf1a920231d345682456c5dc084b235fb23a04893b5beN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
f05975f1b0b9103ff8487fc2926f404e

SHA1
fc75f619e997a9602278cf06b9de6beb4e5ca9d8

SHA256
f60c2ceff56299d244b7dec4e40a35f6b25d2cf9dadb915432c6692015af4348

SHA512
baa344b3c6fb2a2a27423f48d6984b0b3c7f7a3ec722b61e2bacaf64a2bf618c057103fcb6ce50232c7f5c03c120588acbe00e8bb98eec8a72869536e90f330e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
5a56d44127daadd4e2c4101ffebb4573

SHA1
04c192327d0d4fe06cd68ef320a0779c751cb6e2

SHA256
51d73c5b94cf1b28d47444706cc58ef87d5111941b78dbfde64314a4f17a7b4d

SHA512
3b6ce3839b6c1eade3ce70e345c5227a13b414b39a3fb9348684784a0acad6d58b92eab927ad26a676d3fb9161f5ede88b9109465651a372dbbeb80997168176

Download Submit