neconyd | ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe
Size

76KB
MD5

3249742a7d0e3497996c9de74db29b00
SHA1

a132d9ffbe6045ab69b35a7d8acb3dfa947273c0
SHA256

ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053
SHA512

02d1fd6a4ba75049a07c05b7852dbc14a27c7a2ae69176f6e949b28f9b71c70142d44af2833dd20f0bd3f7641d1933f967e3fa1e55bbf11a488c06754172d251
SSDEEP

1536:3d9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11H:/dseIOMEZEyFjEOFqaiQm5l/5w11H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4420	omsecor.exe
2932	omsecor.exe
1268	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 4420	5068	ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe	82
PID 5068 wrote to memory of 4420	5068	ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe	82
PID 5068 wrote to memory of 4420	5068	ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe	82
PID 4420 wrote to memory of 2932	4420	omsecor.exe	92
PID 4420 wrote to memory of 2932	4420	omsecor.exe	92
PID 4420 wrote to memory of 2932	4420	omsecor.exe	92
PID 2932 wrote to memory of 1268	2932	omsecor.exe	93
PID 2932 wrote to memory of 1268	2932	omsecor.exe	93
PID 2932 wrote to memory of 1268	2932	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe
"C:\Users\Admin\AppData\Local\Temp\ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
d8f4e8d204c17ea4fa86984fac253720

SHA1
95d4adb02588e75c4cb624c790499c80d847ac03

SHA256
532c2f16ed85b92ccc84a9b5f042dab07a62ba8601289153ecb2ffa023c5a9f7

SHA512
a97181fdb6e3397fdef9f881b5fdf58e76ef62f8de55d18603fd323afb63717c7dce6b19968d051eea71d5bc5f53471d6d9a208bd88b6b939edcf77fa5a419c7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
baf1f36155cf84fb7b0b3f63f81fba01

SHA1
9af57ba8309f096df3d7d9df28175c318c057608

SHA256
40c86f3d586f85c41a766bc0b017d7776b38825b57de189c38cce866af428516

SHA512
a4e5b21a754e4e8c374a370e22223a6bd14f355b0aecfe91cbf75005757f68101cd8a515e5ab5ece36440583f99b11aa2831b93bfa4f8c16cb295b86633082a5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
24994bdef01886c48e325ab8e10c64dc

SHA1
52c788df88e3b4f012a322889966af32e27b7f45

SHA256
fa5fa2c85de9a5698cfbbef10c205b3ec896ebc83f39a3970f4bb277c1211da5

SHA512
161722c72489bbd8f61147e3febbe0dec5944cb2f03d902f973830bf1e88b8fe082b25fe97c580206ece35d6fd4b1371379883ede2cf656a6752e41c3f3e8136

Download Submit
memory/1268-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1268-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4420-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4420-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4420-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5068-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5068-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download