neconyd | 51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe
Size

72KB
MD5

049420ef9cd7519cca3e7b4ef872ba11
SHA1

99d71c4fb1a25113dacc590ca25af52cf534217b
SHA256

51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec
SHA512

e0fef17b7f58687e8b127f3e4e0cd8d5af5c4e42df154a37d36410305ac23ac8e939aab1ef1e653d53dad50287615bfc48ac6f8e97bf8a3105736383e7e50b91
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/52111:XdseIOMEZEyFjEOFqTiQm5l/52111

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2596	omsecor.exe
3700	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2596	3016	51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe	83
PID 3016 wrote to memory of 2596	3016	51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe	83
PID 3016 wrote to memory of 2596	3016	51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe	83
PID 2596 wrote to memory of 3700	2596	omsecor.exe	101
PID 2596 wrote to memory of 3700	2596	omsecor.exe	101
PID 2596 wrote to memory of 3700	2596	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe
"C:\Users\Admin\AppData\Local\Temp\51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
62ae4fb6b7d767829c162a3db364ec6d

SHA1
247a0ce323cfd9c91bcd54da90cea7e0bc4363c0

SHA256
d4f09eb293ece5cd91d773ed1d6b8e061a53ca0d4c407a99f3956060753b8df6

SHA512
2ce44fd742d78f33434753f74c8cfdce7b2651f951d4d66d29873ee3c50bc09199aad52695bfb289c86aae4a3621af03643b7d6df86b5bf896c93ed7bf9b4037

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
40d2bc714ac47c8f9dfe3217fae97cdc

SHA1
0290833f3c0b0bce5099b40a86e16140d4ad7b53

SHA256
8fbf2fd2e28e69c919dc8b5db6fca4570f6e427f8c8069113a712f00417cf963

SHA512
bd9ef5620eff826e5918b2390bec2cf358110d849bfe9ad51241e4a2c5657dae51b724e4ba134407ffe00f6256e7627687a5224fe76c1bfc2d20116aa928e670

Download Submit