neconyd | 7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799a

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe
Size

76KB
MD5

69283bb5bc570089d169328e822ac0e0
SHA1

f124019a4ccd967b4a91dafce59097ef6d845850
SHA256

7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799a
SHA512

14306466426455e85d9805d509a89c5809c836a87607742b0bea83873831736544ded10e2779f808185cf8d976be2f999093fc5643e0616858b1c64c0447333b
SSDEEP

1536:Xd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11H:fdseIOMEZEyFjEOFqaiQm5l/5w11H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
60	omsecor.exe
1404	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 60	4600	7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe	83
PID 4600 wrote to memory of 60	4600	7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe	83
PID 4600 wrote to memory of 60	4600	7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe	83
PID 60 wrote to memory of 1404	60	omsecor.exe	100
PID 60 wrote to memory of 1404	60	omsecor.exe	100
PID 60 wrote to memory of 1404	60	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe
"C:\Users\Admin\AppData\Local\Temp\7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
754f7742e64098569ee4c4d15fdccb84

SHA1
6fe048c9d1ed5337b1b65cd0f641a71eeda9c1dd

SHA256
5eefff4b213b342ced4d42b1748700c0682b3f30d27d38d406b731980f19e7cd

SHA512
a8ac38f30108740edc1df7a1fc690111112dc1191b92a26b5c69d07cbe86f706b9cc8c6ee5b845a93b69e9355aa2b3e321ba1d481a4e4754c16ccab7e32a9331

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
a30fee7e8d070e9f08619b667606616c

SHA1
ee25476ad31ddd62aec7dbb867591582acc91b2d

SHA256
9216592a780036eed24732c3f28e9f176fb5f12967fceb94e8769efc495f8ea6

SHA512
15b38f527305b2157c6a460622ddb0d2264371f801a6b168945fab54efc629d6e43c47aae915e143c86c971b13210c8380614e1a1e25c02a2ac6e3fe8869f486

Download Submit
memory/60-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/60-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/60-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1404-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1404-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4600-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4600-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download