neconyd | 50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481a

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe
Size

92KB
MD5

98108b579aa9cb4b2ce50da34ddab740
SHA1

b340d2bbacd14cc02b54e47b44c5c99d34c84434
SHA256

50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481a
SHA512

906e30a5c96cc99d1e70a092c814f6a882ec80cd7dbea11874fdcdab182b59423dc21f3ea09c47ed54233b7f25feabdb8c4ffaa8bdfaff87fca12b711141c04b
SSDEEP

1536:Zd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5d:5dseIOyEZEyFjEOFqTiQm5l/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3840	omsecor.exe
2332	omsecor.exe
4472	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 3840	1220	50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe	84
PID 1220 wrote to memory of 3840	1220	50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe	84
PID 1220 wrote to memory of 3840	1220	50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe	84
PID 3840 wrote to memory of 2332	3840	omsecor.exe	90
PID 3840 wrote to memory of 2332	3840	omsecor.exe	90
PID 3840 wrote to memory of 2332	3840	omsecor.exe	90
PID 2332 wrote to memory of 4472	2332	omsecor.exe	91
PID 2332 wrote to memory of 4472	2332	omsecor.exe	91
PID 2332 wrote to memory of 4472	2332	omsecor.exe	91

C:\Users\Admin\AppData\Local\Temp\50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe
"C:\Users\Admin\AppData\Local\Temp\50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
071e4d0a2fc09c9e7bf42ac5074f84ab

SHA1
5488666dde76af907a3850c69086db14f39871e2

SHA256
22adec6063a0dde5f2b285afdbb875c0c94831f52d700e53f69bb2c0ed5aabb4

SHA512
dfe5239d870a5614b74ead8877586cc2962b3403a2194f1767658e94adf2d6d3a0aeca67be0ef7304e5286eacd4b66357dd71e575905dd05b4001690e169ecb7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
e8867b1826f19849aee119dfff01fd08

SHA1
492c1110321c3041fd57c70bd678b14caf7479c3

SHA256
4325795035004f5c12049cea790c39c922f0f84b7a3068d63e7b57ac349a5a4e

SHA512
350227516fa47b28aedcd7aadb26c8c792635f4a62c1fc21a92d8737dbf550d332554c59a374bd3cd72d288350a34e5dcd72e0df32489bbe7fe2d45ea0f1f1da

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
c632aa83f4c55824176ab505a358100f

SHA1
ac1895e8605828388255ec04d6e78d3a3675e904

SHA256
a3e995d64c1e7f1b427c59ce12e193d62274b3aed9a64ed33595dc484436122d

SHA512
90a20df67ce70064a932db346cebab2e0655fe3c6be7e5f05017dd39aa4ea31eee2efdcca9b227d768deaf5e46263348bc5327105531e79a4a96b5cee7115c7f

Download Submit
memory/1220-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1220-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2332-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2332-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3840-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3840-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3840-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4472-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4472-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download