neconyd | 966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12a

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe
Size

64KB
MD5

306ed1a1937afa4e0e77782c39609100
SHA1

bfca77b9ee2c2ddf46e1c10ebe1671d9cb9c414c
SHA256

966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12a
SHA512

1a9528ebe76e8415993b969f17797e81072a52f115796deddb7ac0fe8384a7364d18d86df5ada5c9c8a3dc81e566ad3772ea48eba620b0df38fd32d886fa0a9a
SSDEEP

768:mMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:mbIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2408	omsecor.exe
3980	omsecor.exe
1304	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 2408	4304	966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe	89
PID 4304 wrote to memory of 2408	4304	966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe	89
PID 4304 wrote to memory of 2408	4304	966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe	89
PID 2408 wrote to memory of 3980	2408	omsecor.exe	100
PID 2408 wrote to memory of 3980	2408	omsecor.exe	100
PID 2408 wrote to memory of 3980	2408	omsecor.exe	100
PID 3980 wrote to memory of 1304	3980	omsecor.exe	101
PID 3980 wrote to memory of 1304	3980	omsecor.exe	101
PID 3980 wrote to memory of 1304	3980	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe
"C:\Users\Admin\AppData\Local\Temp\966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:8
1⤵
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
cde26814ce06c9f76ee20afe08582cf6

SHA1
0b53dbd3f963b1f280f117e745f82e1158f48dc6

SHA256
1bdb30a6520e87a6ebbc73d004e6a9d3fe26cc1d2c6590e635c9ed29ad04156b

SHA512
95a17fc2c4d739c7f89c473a84530154be9ee216b7fa1ba5614581f89768c313b7a660986ae7b6bc1f0111e41256da4a84cf2d1d516ff4d1f9e349cb08822d40

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
6ba7ef0e1a247081a7daa9f6bb3b9010

SHA1
501ab0fa6dde8fe499c1681a618420c5828a9e41

SHA256
4751a851672e0ec72a74365f81b0785351a71059323cb7f28a42134b6f45fdce

SHA512
5a9b2e56a12cd345cbe68207eacbb44e4a5b8d91d322a077a5d8b15606047c7d90ed4175edead67d2f76751505c8f0cac7ff5b3375df7341100c0990765853f1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
911eb8302655351d8d8616c53d251ac2

SHA1
6d5a6a4ecca6353ee8a432e94fd8c36ec98f53f3

SHA256
dfc0194d52696a6f75a33adca03f31f86a060f24adcea275adb8139b3642b0d8

SHA512
6eef25c0446b3b35f79ce6b45bc14ded22b54f7ea76eec1016d639cb4aa428e5c1eee888d900d46927111b70103e5ed1f59a8d6e7a55b5d04bfb8bd094d831d2

Download Submit