neconyd | b3019d1fa0edf00d681239298dacd606d007d03f47eb7941d7c8b10caa1706c1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a204f9dedf0dd81629ada4ff71a138c0N.exe
Size

61KB
MD5

a204f9dedf0dd81629ada4ff71a138c0
SHA1

5967412ecf216707518350a9fa8432f53f3d0b66
SHA256

b3019d1fa0edf00d681239298dacd606d007d03f47eb7941d7c8b10caa1706c1
SHA512

060d2367f7fab9e6176c41a874c8cf6dba8706312b7a588e944c9938c7934135513274a186dc36e738d797ed50b14bda28e6f0600e43f896e539290c8841c343
SSDEEP

768:JMEIvFGvZEr8LFK0ic46N47eSdYAHwmZ7Bp6JXXlaa5uA:JbIvYvZEyFKF6N4yS+AQmZIl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2296	omsecor.exe
1064	omsecor.exe
376	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2280	a204f9dedf0dd81629ada4ff71a138c0N.exe
2280	a204f9dedf0dd81629ada4ff71a138c0N.exe
2296	omsecor.exe
2296	omsecor.exe
1064	omsecor.exe
1064	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a204f9dedf0dd81629ada4ff71a138c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2296	2280	a204f9dedf0dd81629ada4ff71a138c0N.exe	31
PID 2280 wrote to memory of 2296	2280	a204f9dedf0dd81629ada4ff71a138c0N.exe	31
PID 2280 wrote to memory of 2296	2280	a204f9dedf0dd81629ada4ff71a138c0N.exe	31
PID 2280 wrote to memory of 2296	2280	a204f9dedf0dd81629ada4ff71a138c0N.exe	31
PID 2296 wrote to memory of 1064	2296	omsecor.exe	34
PID 2296 wrote to memory of 1064	2296	omsecor.exe	34
PID 2296 wrote to memory of 1064	2296	omsecor.exe	34
PID 2296 wrote to memory of 1064	2296	omsecor.exe	34
PID 1064 wrote to memory of 376	1064	omsecor.exe	35
PID 1064 wrote to memory of 376	1064	omsecor.exe	35
PID 1064 wrote to memory of 376	1064	omsecor.exe	35
PID 1064 wrote to memory of 376	1064	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\a204f9dedf0dd81629ada4ff71a138c0N.exe
"C:\Users\Admin\AppData\Local\Temp\a204f9dedf0dd81629ada4ff71a138c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e9c1d9dc30cecad201fef431f4b9cba0

SHA1
34b858a648c5076d57ef671b6d0e714be38031e1

SHA256
7da03c5540da03596a84ae7cce8f142fad7115d6219c8199cc933397470e00e7

SHA512
de0681108ac9a38cf8bde156211390e0101d196145440914db5bfbeaf8b6c7838900498c8af0e0b956f99664979ad71f69ea787244289b30abdd1c1079c7575e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
63824186fcd1f38bbf998569d6e76da9

SHA1
6336b0539f9366b48d56b7feeb1ed6f50093bd7c

SHA256
06f995f2565516f2feba438d067eb3b25d4d6b9a740bc73683e15fb0061dd94c

SHA512
9883245ab8d69e033833ef828ae2f1f3572a3d34c649a8ab688a8a9b71293052eed2a0845bcc1c425a21c52c877209eac1e28752de1176c17536e5f090fb60ec

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
e3cd4749afaa00c7c7e2e5face1f2380

SHA1
abf884ad2ee486fafc3beb05303b0a62a6c7a0cb

SHA256
2fbc933bd52cee1462c36c865338433f1f377618aa9e6340c9c45feb959e6f88

SHA512
5cfb02e9c8a98c6be3ae60824c817400aac0a7b4f16df0a0fddc6f3c9f7a4b3b78c45a59e08da4b4d2d5cd8630f4c8864baeaefa801e83210737cdf5d4e1e8cc

Download Submit