neconyd | a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe
Size

90KB
MD5

a38465706d079d0ccb6ee3ac3370393f
SHA1

4c6db81007225f615f8c910cdeb959a5c95a6aeb
SHA256

a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f
SHA512

42c70b1eb2174241bf769b4b5acc99a70ef310d4b157e2e54ed512bc8ca80b73d197536bd35c77e64abb261afb819ba1d13c725db88a43991523e389adb75b87
SSDEEP

768:tMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA+:tbIvYvZEyFKF6N4aS5AQmZTl/5W

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4532	omsecor.exe
4552	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 4532	3880	a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe	83
PID 3880 wrote to memory of 4532	3880	a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe	83
PID 3880 wrote to memory of 4532	3880	a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe	83
PID 4532 wrote to memory of 4552	4532	omsecor.exe	100
PID 4532 wrote to memory of 4552	4532	omsecor.exe	100
PID 4532 wrote to memory of 4552	4532	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe
"C:\Users\Admin\AppData\Local\Temp\a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
8c60b488dfbc5baeb6def2e229c6c752

SHA1
829563f186b5bb81341eeb955ae93f1fa681dd29

SHA256
abc77c4d6c6d87348ef5de6e04449d13d48f1f77bb8b737f8ac4d73a50c416ac

SHA512
e692b6941223e7edffac942bf54965c86e41222121035407155b5f1cf0910d983a40c29d3c4e8091dbf802985d0017b7e9a5bb5205cd9af55ed453b6d8087df9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
0716fb319c2fba84fb3fa795084c124f

SHA1
dfa811cd501a3a57c78126801cbd81fa7464906f

SHA256
0ebbb3e4a8708fde5956d02fadf39d407c31664a923d5c1ff81ede842a4a3566

SHA512
c318130aa821445cab7eac6cf644ddf25186c86c131a14ca71a17ed7be1a6498ff708770f47cc22c912d1c9caf857633bd712290d86bdadbcb7faebe590ddb3c

Download Submit
memory/3880-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3880-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4532-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4532-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4532-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4552-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4552-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download