neconyd | a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f

Analysis

max time kernel
115s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 15:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b9f893b651a4c9f9bce4860abcf5210N.exe
Size

92KB
MD5

6b9f893b651a4c9f9bce4860abcf5210
SHA1

2b40dee78eb457c2a6481d6eec8cfa621a7a2135
SHA256

a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f
SHA512

d96a0b5d8f9afb0c5af8b49fad2c97ce2f53f2f328d72932622e866a70b7b6f6af748978875c78689f5da1cdc1cc4b013884ec8a8765f2364d3c3ac4448c8247
SSDEEP

1536:zd9dseIOcEE3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIO/EZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
4860	omsecor.exe
1420	omsecor.exe
4056	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b9f893b651a4c9f9bce4860abcf5210N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 4860	3632	6b9f893b651a4c9f9bce4860abcf5210N.exe	85
PID 3632 wrote to memory of 4860	3632	6b9f893b651a4c9f9bce4860abcf5210N.exe	85
PID 3632 wrote to memory of 4860	3632	6b9f893b651a4c9f9bce4860abcf5210N.exe	85
PID 4860 wrote to memory of 1420	4860	omsecor.exe	102
PID 4860 wrote to memory of 1420	4860	omsecor.exe	102
PID 4860 wrote to memory of 1420	4860	omsecor.exe	102
PID 1420 wrote to memory of 4056	1420	omsecor.exe	103
PID 1420 wrote to memory of 4056	1420	omsecor.exe	103
PID 1420 wrote to memory of 4056	1420	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\6b9f893b651a4c9f9bce4860abcf5210N.exe
"C:\Users\Admin\AppData\Local\Temp\6b9f893b651a4c9f9bce4860abcf5210N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
78f42182786675aacd323282136e79bd

SHA1
82f6a1607c8eb97970dd428e00eb05f5bf396064

SHA256
332655562821436139697eaa926f4b003d056b113b933ee750ccde97bb2d7f92

SHA512
6f022c7fd06fb6245af6e53377463340f881e1bb32be107addf346598224d57e9fee8affc9f69c21b02e4e6eaf5761e3c70d92a114042b70cf3b48300a3d390b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
fff7a8898ed69d53a1069422e07a8cf5

SHA1
173e886d68080a89b678d83fc81dae27bf4eec2e

SHA256
a34a8cb30dc6de3e649ca267af3ab484cf9dc417b71e037a27b88466a3d25c87

SHA512
3cdcbbaa41b5e52de0c442bc933457d09285d55feb77878f3a5aaad69c1df94d79b9bdebe3ae6e78a15fca90c7337cdc0995bdd23abed3a65c47599e92ac8579

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
2e0a4d70b61e86b0fddb1156171c16ae

SHA1
53a28eb35500d1af285729ed7f09fc2ef4962b7e

SHA256
bd6af2c53d2ee63da8ebf3cc78bc3c90f4ee8a31e4133171c87f342ec57dfab7

SHA512
1126a7b8658371afa14bf87b5962182399547ff8e40e09ca546066ba787207232390f3634fc675a524db531229574e4145b7292e932b8fcf39890d0c536c839d

Download Submit
memory/1420-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1420-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3632-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3632-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4056-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4056-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4860-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4860-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4860-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download