neconyd | 842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe
Size

76KB
MD5

8ae135900ab66c987e875879ef79c12f
SHA1

c4c924e2d239cf9ab476744bda5990e106dd8ea2
SHA256

842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce
SHA512

52abaa24a708d60ff96a35c23998cdd5f5f819b41848d38cf98c54cbad66aa7e9498fed4a46d774df1ea58a5542f7eb3c7abe7b38cacd302ebec5ea7309a27f9
SSDEEP

1536:Yd9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11:odseIOKEZEyF6EOFqTiQm5l/5s11

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
920	omsecor.exe
4540	omsecor.exe
2872	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 920	3756	842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe	84
PID 3756 wrote to memory of 920	3756	842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe	84
PID 3756 wrote to memory of 920	3756	842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe	84
PID 920 wrote to memory of 4540	920	omsecor.exe	99
PID 920 wrote to memory of 4540	920	omsecor.exe	99
PID 920 wrote to memory of 4540	920	omsecor.exe	99
PID 4540 wrote to memory of 2872	4540	omsecor.exe	100
PID 4540 wrote to memory of 2872	4540	omsecor.exe	100
PID 4540 wrote to memory of 2872	4540	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe
"C:\Users\Admin\AppData\Local\Temp\842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
ac39ba1f7caf277637a43d36b9f46fa3

SHA1
5570760981d835226eb2f15a1f857ba9e805a4c2

SHA256
22516dd2dacfa0899062fba4712076f09b362164f49ae7d026a4727e14200aab

SHA512
3773a97da918b5e1c186bfef807fd939583d5e2122a1bf68c4de1110382eebeb2516b10c72096d954aaa339e362a70d7f04215c1414f946e2dc3882342284c83

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
295965c422f5895f56b7f6e1d32b63fa

SHA1
c678f73526f146baf20f05ce1e6d99f90fb1d9c5

SHA256
2259fde5ba57f621c8343b9b5ece54f63c411735b56cb819eeae634d3a784fb1

SHA512
48669bbad6d69713665dbd95a41fd432c6b4c809b93eb99cae4dec2bbdd4bfa49e211f88ae606e28fa4cb76b40473eb818c257499953c128ebe426dc18ba9dd5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
f0bf491380fa437a42df684c5dfbed91

SHA1
f9c443df94209ec7be9ba1e3c539015888f48109

SHA256
62ff1ddf270c9e255e61c7b2f0ed50cc68b2131e184e29c12253bfd6e455e1fd

SHA512
22bf50b4112a273ed9ebaeaf94fc710c787dfc862b4d05a65737338e0ca13941d6a5db3a06ebdb85b1c2d27af8cebd350f58318a280bb68a2a9e1d51217e7251

Download Submit
memory/920-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/920-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/920-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2872-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2872-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3756-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3756-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4540-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4540-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download