neconyd | a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943d

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe
Size

72KB
MD5

e29e0c6b9f301f484ca794d6bc375030
SHA1

076234eafa6868e095ad2b5637b5a1efbe553fd8
SHA256

a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943d
SHA512

95e115f23f54b86cbf98c8b6a67486d8ccf53233f76fea06dfddb00b4a7bcf57879498edad4968f017ca4c9e9142a8825dd7e5b74eb9fc834991fdcf5fda821f
SSDEEP

1536:vd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211F:HdseIOMEZEyFjEOFqTiQm5l/5211F

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4216	omsecor.exe
4896	omsecor.exe
2712	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 4216	1724	a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe	83
PID 1724 wrote to memory of 4216	1724	a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe	83
PID 1724 wrote to memory of 4216	1724	a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe	83
PID 4216 wrote to memory of 4896	4216	omsecor.exe	100
PID 4216 wrote to memory of 4896	4216	omsecor.exe	100
PID 4216 wrote to memory of 4896	4216	omsecor.exe	100
PID 4896 wrote to memory of 2712	4896	omsecor.exe	101
PID 4896 wrote to memory of 2712	4896	omsecor.exe	101
PID 4896 wrote to memory of 2712	4896	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe
"C:\Users\Admin\AppData\Local\Temp\a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
cc89f1804f401f063d71b8a0b225592f

SHA1
dfe5b0bf7450a11bf415f911954a8e52ba3a2b1b

SHA256
e0f1fcf93b74b730852fde225e71ef03a02e74589ed11259074ba32228e527e3

SHA512
b9647f897b1c84aa48a22723d2d9b2521f1c9568873666fcf3d581e75c8bd57fe7b59ae8eaf14b0638095c298b2ae9d8c0784ad8f726d82526a7475425241bda

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
925277aeea72a909e6c7ebd5af58e97a

SHA1
dd098043ccfcd9b76bf449b55f5ea2716f964f6f

SHA256
29bdad15d09264dbef6826b1e41ec7e99af89ea8a127cf3fef271bea729f11ac

SHA512
5332338cf16943f749a558e60f9a6eec8fc1dd22eb55b4111b080d079612b0ead5a73ccb8c4605b0ab5d6bfc755212c71a9655e8e705ffc75fdd8b9d92f39994

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
5de868a6439b921a53cafddb0447c0ef

SHA1
63a2e826b2d569693de71a9c50121b8e2198e819

SHA256
096aec9236c9a5fc986c33fd6c0ee23e553c001f1dad38a5f7705d61034b2edc

SHA512
a076ed112c7d7a133c967d4597c6a15585d2b2f8c8ecc3045ed208dd9f612ef7cd17c137f3a8c6994effe2cbaf1fc500509d6e6e13d0ce2adfb3681c07a3459e

Download Submit