neconyd | fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
Size

92KB
MD5

8dd4e855465f49a4ae7d98fbc238697b
SHA1

eb2b09e71c5a46cc7114f2d21d1ee38d4d472186
SHA256

fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf
SHA512

76e5ca371ee47db26427334025348dce7049b301552077bd0f23256161d047985141cba971f1440ac30f031fba981a3fc259e25f202c1c8bcb0e810de8bad2ea
SSDEEP

1536:Kd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5d:KdseIOyEZEyFjEOFqTiQm5l/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3304	omsecor.exe
5028	omsecor.exe
2224	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 3304	2196	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe	82
PID 2196 wrote to memory of 3304	2196	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe	82
PID 2196 wrote to memory of 3304	2196	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe	82
PID 3304 wrote to memory of 5028	3304	omsecor.exe	92
PID 3304 wrote to memory of 5028	3304	omsecor.exe	92
PID 3304 wrote to memory of 5028	3304	omsecor.exe	92
PID 5028 wrote to memory of 2224	5028	omsecor.exe	93
PID 5028 wrote to memory of 2224	5028	omsecor.exe	93
PID 5028 wrote to memory of 2224	5028	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
"C:\Users\Admin\AppData\Local\Temp\fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
08a62d3c4700fdb5fd4f94395b805928

SHA1
2b41ae4edef3230873a5daa01bde5f40cc029e09

SHA256
43b362df70f940351172d2bf1db6b90600afa118c09f3c673affd8e20bd2771b

SHA512
17e6088b4dc70c0942b6c7509cd9ca7b897f95a5d45c64cfbd51bbc94be316d6daecaca100e4fdbf9974bf5dd8db95aa531cfee56f5ff708eecef0fa6ee54eb0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
b40b890e60357bdb7e22ab3d85c42ec1

SHA1
d2985447a8695539b1f11c925eece7f201012c52

SHA256
c172b933622115fcc497917a4cf8e9751c1da7f3bfad246c011ccb29bff7d615

SHA512
4542df1b9a2232a5492516737d5b71128b00f85d98fe7d6ecf8d6f1d4022c38eb04a8ab0958ac2bc735cced44acc7ea55f60c33da2cbf3feea1b5819247d7771

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
ac5afd178d9c27a957ea1796551bba84

SHA1
32766d375cca800fa61457e45aace110b4b469fb

SHA256
ed5edd0dbc6b57944f32d2743144257c55086e1950c98cc25b67dacbb03d7840

SHA512
009dec22f7a6216b0b8d92fdf132e4501c0ef4b19557e4d7232a34bd139c05d0c0cd58773f31ab64b29025eaf3d5be428ecc35de7f0740e66edefde36a922bd6

Download Submit
memory/2196-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2196-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2224-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2224-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3304-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3304-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3304-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5028-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5028-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download