neconyd | 909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe
Size

71KB
MD5

2cfe0f618024241fd92a21de19831700
SHA1

ae2f30105ae1b9c7751f283606fcace01f42cef5
SHA256

909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252
SHA512

d35ceadd67660fcf9d17b4a4442eac677f8a02dad6d12b494c39536e88ac936fd6e4cc5abb95068faae9251e4fa0b70e315126409047cb655db0a3c02ed82d02
SSDEEP

1536:4d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHV:IdseIOMEZEyFjEOFqTiQmQDHIbHV

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3044	omsecor.exe
4700	omsecor.exe
2096	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 3044	1728	909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe	81
PID 1728 wrote to memory of 3044	1728	909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe	81
PID 1728 wrote to memory of 3044	1728	909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe	81
PID 3044 wrote to memory of 4700	3044	omsecor.exe	91
PID 3044 wrote to memory of 4700	3044	omsecor.exe	91
PID 3044 wrote to memory of 4700	3044	omsecor.exe	91
PID 4700 wrote to memory of 2096	4700	omsecor.exe	92
PID 4700 wrote to memory of 2096	4700	omsecor.exe	92
PID 4700 wrote to memory of 2096	4700	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe
"C:\Users\Admin\AppData\Local\Temp\909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
94dc7ef026ab76f78c33b758612db0c9

SHA1
2a5ff4756b75820d0dc600135c5e5d634782d7d9

SHA256
9914c557421620a86bbb1448e3dcb3e7a6516cf143ccbb42eb486bfe22d38d37

SHA512
ce66fd317398f4134c498f7311281e4b858c6580324095767220ad2e40592d3239f0791c970a472577e48ec285b4df00dedb8789057bf21729da0aa6dcb9c4cf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
1a920717444a48152301011218da690b

SHA1
881ed6183cf768ef3e5d251518d22cd709e64279

SHA256
2af946ab4b09d4683a6b6324e5c59c15d16a4915ae9ebf48f6e90e4b3bd7d549

SHA512
dfa8818dcf05e5d6b341c3e6858a326e2e11a4ee6d93388c1f054315b77721fc37fc8a20046e930d4b956822816de2038e7f995ee0c5706c6ea5bc27544fd2d0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
0868866aa287111b7a0515015257ff13

SHA1
103dab10bbd8e4000e82dcb793c33e1b5035aa1b

SHA256
c0110919109aefcb4cd60d7fdd58722fa7a04a43cc6c619777b976b820c7923c

SHA512
0e879893a65666d7f8f9deccd345219c0346919c7c1cec986a69eec08d36ce7ad3329bdce923f6e29340ccbf1ef5b13621d202f927ac3e488f34d3a539903f95

Download Submit
memory/1728-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1728-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2096-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2096-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3044-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3044-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3044-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4700-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4700-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download