neconyd | 6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe
Size

68KB
MD5

0295c61e19ad7ba011aa17ec0dd2394a
SHA1

3481a44ab262289f4863fe9180eb7644474d0281
SHA256

6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0
SHA512

8b8294af942b27f226afd2a1f1f8a13f9ef45f5ce61c9087c3db61df3cf82cd5e4ed8c44c53a3fc3e9021f95e9d51002397b62e6a8eb3f7102bd34bc124a8108
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:LdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2816	omsecor.exe
3040	omsecor.exe
5084	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2816	1556	6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe	84
PID 1556 wrote to memory of 2816	1556	6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe	84
PID 1556 wrote to memory of 2816	1556	6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe	84
PID 2816 wrote to memory of 3040	2816	omsecor.exe	91
PID 2816 wrote to memory of 3040	2816	omsecor.exe	91
PID 2816 wrote to memory of 3040	2816	omsecor.exe	91
PID 3040 wrote to memory of 5084	3040	omsecor.exe	92
PID 3040 wrote to memory of 5084	3040	omsecor.exe	92
PID 3040 wrote to memory of 5084	3040	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe
"C:\Users\Admin\AppData\Local\Temp\6a5c11e47bedc0a5af5fa499ff02e67eefef6b0a829f32360636864314e8cfa0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
72ce810d56d909c87ff4a964aadc0d29

SHA1
8e9e3d0c745700f5ba95d83e68d825e8e3f49047

SHA256
c652b642ce41cbda3d26151deed4ac5f6675864fee172bb3f7961079b744705b

SHA512
819aabf08a91ed52022824d17663d2e7409e446ae2aa2895a5de103db58d277ff807ea8622f7082dbc9829e7bf4b8bfcd058e750d1ff44f635a1b37584479996

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
1e775908406d82f33410d2c5fe79c973

SHA1
1a1cb76873f4c9a9571456b5012259199c6ef9cb

SHA256
8f673f75d0689371a1a5e97fda71f4edaeec53264f122fb5fc39c039645ef932

SHA512
72ca66ace4e75c360051fc93fbde6e73184fd381c020be2d3401eae257b495ac17f1a5c87de36df07e66c4e0f44beff59048087545c8416eb8e72dd1f7154b58

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
68KB

MD5
32f511b184dad69baf4800c314e256d6

SHA1
b8fde0eff959d6ede6c975acd66da45cb557b1b2

SHA256
451859aa7d3156e3f8d9dddea1be3e5a3f8c13ca1d07d4a4fac334d1bb405074

SHA512
53601445d496e65ef0a877fbb0b8f01849e53aee3bc6c115813664bedec481162e0bde8aa7ac4f6e8c1067f168b739961363cca2e8398222fe9fca8c5a18b76e

Download Submit