neconyd | 103f4cfa3888101d4645b6e1ea0ca647668598f58be628a797e1406d76359dd6

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe
Size

71KB
MD5

d5caadd3a36bbd871cfe9e4ad81bbfe0
SHA1

8052be741045ed191cc7b36589b2dbec12bd96f0
SHA256

103f4cfa3888101d4645b6e1ea0ca647668598f58be628a797e1406d76359dd6
SHA512

2bcccffb9c2a58e7b13a0241841f67caca4d745057c12699fad85693f52cb60c1eb4b4e83611e1c1ff01d36300c5702eccb8dc12843fe6f1062f94db447b2003
SSDEEP

1536:Ed9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:8dseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 2 IoCs

pid	Process
3028	omsecor.exe
4556	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 3028	4664	d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe	84
PID 4664 wrote to memory of 3028	4664	d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe	84
PID 4664 wrote to memory of 3028	4664	d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe	84
PID 3028 wrote to memory of 4556	3028	omsecor.exe	100
PID 3028 wrote to memory of 4556	3028	omsecor.exe	100
PID 3028 wrote to memory of 4556	3028	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe
"C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
1db297ad35dd61a0931fa4015fec1264

SHA1
2396d371da5776ab6823df870fb87c6bbfb08961

SHA256
a5d249d01913b3ad6541f11c0a5f83d1ed3e9b856f2f2acd1ec0d8938ea3df49

SHA512
4358ab2934ba720f835bfd99049c5ac915eda6b8c08209a8930a27388147d263fbe0b802377af06e49d12522dd5b1927a57500cda6ab800fc7bb660488fe2af6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
f9a0a2a5ac809a3fb667abbafbcbbb08

SHA1
0ce9c4b64a2a758a32c9a3be737aaeb95cb27c6a

SHA256
e5ddf9f957a43443bc0ac388ed97baa09cbdd6a27b6828f0bc667e1ef2e0e819

SHA512
6a866668336d62417eb8b174c1d9014d7338508676c968b7f760d113ac91e43e1c2ce91a21eb7d7d9f8558e76a2591b963c3e22185753b7dac88935568a76bc0

Download Submit
memory/3028-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3028-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3028-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4556-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4556-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4664-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4664-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download