neconyd | dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe
Size

80KB
MD5

795f2d2e2962e83c62eaac64a020763f
SHA1

bca9efebd53235dd835c1534a0b53a9f58a6fc6f
SHA256

dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a
SHA512

a8c90d2cdcd4f51296dd0d7561b085ea7c776d6a3fa213256d26df6820cacc472fedd976110ce407bc77ce24fe1d42ac922ce46c2a72a906805c42809c1fa34b
SSDEEP

1536:Wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:udseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4960	omsecor.exe
2056	omsecor.exe
3472	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4960	4836	dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe	83
PID 4836 wrote to memory of 4960	4836	dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe	83
PID 4836 wrote to memory of 4960	4836	dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe	83
PID 4960 wrote to memory of 2056	4960	omsecor.exe	90
PID 4960 wrote to memory of 2056	4960	omsecor.exe	90
PID 4960 wrote to memory of 2056	4960	omsecor.exe	90
PID 2056 wrote to memory of 3472	2056	omsecor.exe	91
PID 2056 wrote to memory of 3472	2056	omsecor.exe	91
PID 2056 wrote to memory of 3472	2056	omsecor.exe	91

C:\Users\Admin\AppData\Local\Temp\dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe
"C:\Users\Admin\AppData\Local\Temp\dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
ba405e7160f13c2726d6752c069134c5

SHA1
f2122bf5d5a65a991b5181a5a9e64444b3d30fc8

SHA256
2c0490eb6aae25d101f5944422489ce9b1c7626153d20a34d0d9501e215ab43a

SHA512
e901a64e120294ea8e1d9f4eee36b0be9b1493a69df05de6db5510be26efd02af8174be2b5ec7d1f2eee98f1cc852c9b9d1fb6711f3db22691de14354d2ee6d0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
5bbe6946a8f827a135abf8b68fa6537c

SHA1
a7f92e3535de609bd37ddca11248fcf343228fdc

SHA256
084929250ba6eaf5c333f24ec78cdd96393b59e950d054bf38a656d44ae3c8a0

SHA512
2f499c1f93471218db24b6e48d5909ec3e8c8a09061f53cdc5985925c628c2049b94873b421d64b5296645546060689be272149a6b4b6122b7e015abd17af822

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
9ed2edbbba89629b4264ff7109d945f3

SHA1
c3822e1e25c961e5d74770374fac98be11252448

SHA256
1f018fc97abf771b25f0e62bc7401e4e733b4e529902e8b38fa0abc44fc40436

SHA512
6c2636c69b1f5b3644495cdc2de9d571c26c0871fe1c47a55fb22dcf4dbec007d051fb35dad011520dc8bc5360696c69b2b31bd3f3664e41006f350ce844cb16

Download Submit