neconyd | 6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe
Size

68KB
MD5

0295c61e19ad7ba011aa17ec0dd2394a
SHA1

3481a44ab262289f4863fe9180eb7644474d0281
SHA256

6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0
SHA512

8b8294af942b27f226afd2a1f1f8a13f9ef45f5ce61c9087c3db61df3cf82cd5e4ed8c44c53a3fc3e9021f95e9d51002397b62e6a8eb3f7102bd34bc124a8108
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:LdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2756	omsecor.exe
536	omsecor.exe
532	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2888	6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe
2888	6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe
2756	omsecor.exe
2756	omsecor.exe
536	omsecor.exe
536	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2756	2888	6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe	30
PID 2888 wrote to memory of 2756	2888	6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe	30
PID 2888 wrote to memory of 2756	2888	6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe	30
PID 2888 wrote to memory of 2756	2888	6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe	30
PID 2756 wrote to memory of 536	2756	omsecor.exe	32
PID 2756 wrote to memory of 536	2756	omsecor.exe	32
PID 2756 wrote to memory of 536	2756	omsecor.exe	32
PID 2756 wrote to memory of 536	2756	omsecor.exe	32
PID 536 wrote to memory of 532	536	omsecor.exe	33
PID 536 wrote to memory of 532	536	omsecor.exe	33
PID 536 wrote to memory of 532	536	omsecor.exe	33
PID 536 wrote to memory of 532	536	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe
"C:\Users\Admin\AppData\Local\Temp\6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
1e775908406d82f33410d2c5fe79c973

SHA1
1a1cb76873f4c9a9571456b5012259199c6ef9cb

SHA256
8f673f75d0689371a1a5e97fda71f4edaeec53264f122fb5fc39c039645ef932

SHA512
72ca66ace4e75c360051fc93fbde6e73184fd381c020be2d3401eae257b495ac17f1a5c87de36df07e66c4e0f44beff59048087545c8416eb8e72dd1f7154b58

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
c469723395cf0417eb6211596b8815fe

SHA1
0e8418510b9e24278af5518904533effca79b3b8

SHA256
0f09626687c9212bb5cad120c384d526c97aecef5dbd6c9a75cefeaa2834efef

SHA512
1223f4e8ecf48284a8a5281c8c9403ede97777b5079b3b597f43f8369f79b784394347d7bd5c6e2652aaf8ae05f30ae1321e0ebaf53c86b573ee1c6d7bade354

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
68KB

MD5
96898ec875e7b83265896c6b4069e422

SHA1
8a7840e2c5d130ab14ab9b92b405482f1499c7f0

SHA256
98818fe05a1a988c51b89a0cb5986074bb5f6302bb98a681b9dff98c2672207f

SHA512
fb68ac93aa06d459f55b1c9e5ef0634a68a71a889d0b60e75eaa06d3f887edc3fe8d7168afb4ea6ea887c7f4b8f6ff2596f3bc785800d25e9e1205e5f235a519

Download Submit