neconyd | 19b2a139bdf81e44673c54e9ea003664aa433736fd5491273a18c60c05dfd763

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 12:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c5023c8d0c1effe4a6d944295c192a70N.exe
Size

63KB
MD5

c5023c8d0c1effe4a6d944295c192a70
SHA1

539bd3b303d96938fa60bc33fc8dc12410650ef9
SHA256

19b2a139bdf81e44673c54e9ea003664aa433736fd5491273a18c60c05dfd763
SHA512

0885d8576b977c77ff5e2fc534ceb44ada03b4e5e8816ed002d2936e16dcadf14d91a0181ab66a564f4681a4dba7e01f35470e6489232dd8ed7564a4bbc60c2d
SSDEEP

768:RMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:RbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
5112	omsecor.exe
884	omsecor.exe
1784	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5023c8d0c1effe4a6d944295c192a70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 5112	4964	c5023c8d0c1effe4a6d944295c192a70N.exe	83
PID 4964 wrote to memory of 5112	4964	c5023c8d0c1effe4a6d944295c192a70N.exe	83
PID 4964 wrote to memory of 5112	4964	c5023c8d0c1effe4a6d944295c192a70N.exe	83
PID 5112 wrote to memory of 884	5112	omsecor.exe	97
PID 5112 wrote to memory of 884	5112	omsecor.exe	97
PID 5112 wrote to memory of 884	5112	omsecor.exe	97
PID 884 wrote to memory of 1784	884	omsecor.exe	98
PID 884 wrote to memory of 1784	884	omsecor.exe	98
PID 884 wrote to memory of 1784	884	omsecor.exe	98

C:\Users\Admin\AppData\Local\Temp\c5023c8d0c1effe4a6d944295c192a70N.exe
"C:\Users\Admin\AppData\Local\Temp\c5023c8d0c1effe4a6d944295c192a70N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
db5c871f000d16a3975c3c8c6b085a50

SHA1
7157dada26cfbc2d50b788a7d350fbf269d1b7bf

SHA256
30ca4245b8dd35fc4491195d8b4c357037fc0403097d4970f8a8a9d1e4c068b4

SHA512
decdb5c0d7147396d345b38bd63ee49e4e8e518be8c74d4dd44ae4d508991ab795af6faeb1c2eed7315d43549b2c6c64625d0d33ec4e1a972c7d60457e621562

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
49d4d60f0c09ad87edb2abad31e88f5a

SHA1
6fd8998048be9d26fb477d3df417b4c1a921df05

SHA256
5a32bfe660cbc3de312de49326b55b46d0df21c2ba5f355d9fc8af7aa0bac5d6

SHA512
ca09c7760d97715216e0f84e104a9d8ea4c17c0bcbfef32c9992e2a9d96870e8be4629d7eea86396706e951f6fe5c24694c839993b3f7b0af79a8a7926d45d41

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
63KB

MD5
48cfead42758e68037751b29596a9df2

SHA1
ad309ba0e04f5a66c045782b62cadb0fba3af7a8

SHA256
b18580e110010fc61222b86972c4ac45cda0e736e73b368815fbc3c64f8a1ac6

SHA512
8a096f2c52ed6696be738686fc825076df14eeec591ce7447330b0e30e06bccf2f19f44673a0663cb954826e68b0c824c6eb87ef5babf49243e1970ebcc25aa2

Download Submit