neconyd | 84dca725044c72db694b64c0ab408fb735548e7a31664e982e432db23cc72377

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0705278ce0c6f6ba1dacfc741f1c210N.exe
Size

80KB
MD5

c0705278ce0c6f6ba1dacfc741f1c210
SHA1

ba99352184c9f79bc95a921338a0ca565b7c0dac
SHA256

84dca725044c72db694b64c0ab408fb735548e7a31664e982e432db23cc72377
SHA512

13881997308e8e5c461ef2cb8a66e3c8163fe4918591420efef130e90fcf8517414a3ddb3c6feb91131e60fc36a311e0e4337a1e5d9314fbbcc252a804b85103
SSDEEP

1536:Xd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:fdseIOMEZEyFjEOFqTiQmOl/5xPvw3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1432	omsecor.exe
836	omsecor.exe
1812	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1040	c0705278ce0c6f6ba1dacfc741f1c210N.exe
1040	c0705278ce0c6f6ba1dacfc741f1c210N.exe
1432	omsecor.exe
1432	omsecor.exe
836	omsecor.exe
836	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0705278ce0c6f6ba1dacfc741f1c210N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 1432	1040	c0705278ce0c6f6ba1dacfc741f1c210N.exe	30
PID 1040 wrote to memory of 1432	1040	c0705278ce0c6f6ba1dacfc741f1c210N.exe	30
PID 1040 wrote to memory of 1432	1040	c0705278ce0c6f6ba1dacfc741f1c210N.exe	30
PID 1040 wrote to memory of 1432	1040	c0705278ce0c6f6ba1dacfc741f1c210N.exe	30
PID 1432 wrote to memory of 836	1432	omsecor.exe	33
PID 1432 wrote to memory of 836	1432	omsecor.exe	33
PID 1432 wrote to memory of 836	1432	omsecor.exe	33
PID 1432 wrote to memory of 836	1432	omsecor.exe	33
PID 836 wrote to memory of 1812	836	omsecor.exe	34
PID 836 wrote to memory of 1812	836	omsecor.exe	34
PID 836 wrote to memory of 1812	836	omsecor.exe	34
PID 836 wrote to memory of 1812	836	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c0705278ce0c6f6ba1dacfc741f1c210N.exe
"C:\Users\Admin\AppData\Local\Temp\c0705278ce0c6f6ba1dacfc741f1c210N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
5fde449e3df393bcd46d55f7f56aecd3

SHA1
f98c3c419450d140335ac763f8b7141eb48fe30c

SHA256
b570b1ef4648b7fe7483232d7d6e58aae0fa74b3bdd016e844f224b43f86b952

SHA512
c6bf9f8b534b1fe45adc0581d20cb7900c430c29335f45d611c3d3462ca074ae9c98e244f238322f642aa1d5649ac4a2d1e318fa05fa9e40382448cb1842fd07

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
638dc96c648b32200a6cee5f01126b2b

SHA1
96953f0089ad04620f5e58a02773b730f5c7edb1

SHA256
0913d89f5d52ddc1066f58e7fa94fbe90b0e76f99d8ec446a108ad3932ec8c79

SHA512
37910be5a9b5b26c3dd91e33ce79c4018fbbdf9c9233df7e1f8cbfd64a6b8b90e4140c3bb86047e71145affd8ac3a529263cac666bdf801b6378496f496a1d47

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
4786e8130d96ce9100e0cd97a59d4db5

SHA1
490da8b227e20d8b743d0cf358ad063e46b1a8b4

SHA256
9901453b2aa12072f72927d88650e4f244394e831c6e66256d768c61b70f98f0

SHA512
4545ec179f4eeaa965b62d84165f5f65d3ea246fb48849d8e610a36428c1ab0814b6c29b0ca1d09bd7a9466279dacb601fd35673ed9e120009c57eec372326b7

Download Submit