neconyd | 7ef092f354daab7b00db699700f21d30658bd89a9d3fc9b7ac0688cdf563bc02

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 08:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7ef092f354daab7b00db699700f21d30658bd89a9d3fc9b7ac0688cdf563bc02N.exe
Size

84KB
MD5

d8df68e5f9e5af6ca048868583614b20
SHA1

efe04bf49ab3b848c09bb992527c82a229720013
SHA256

7ef092f354daab7b00db699700f21d30658bd89a9d3fc9b7ac0688cdf563bc02
SHA512

aacca698c9a3dedf6e6bc2cccdb60e3d04deacf8298a5e234aa7910477aafb079620d50feb8c6f2144ea44d36a6f5845a03464a472c6e57e30f6a5c1e52ebe0d
SSDEEP

768:0MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:0bIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
4460	omsecor.exe
1760	omsecor.exe
4152	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ef092f354daab7b00db699700f21d30658bd89a9d3fc9b7ac0688cdf563bc02N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 4460	1328	7ef092f354daab7b00db699700f21d30658bd89a9d3fc9b7ac0688cdf563bc02N.exe	82
PID 1328 wrote to memory of 4460	1328	7ef092f354daab7b00db699700f21d30658bd89a9d3fc9b7ac0688cdf563bc02N.exe	82
PID 1328 wrote to memory of 4460	1328	7ef092f354daab7b00db699700f21d30658bd89a9d3fc9b7ac0688cdf563bc02N.exe	82
PID 4460 wrote to memory of 1760	4460	omsecor.exe	92
PID 4460 wrote to memory of 1760	4460	omsecor.exe	92
PID 4460 wrote to memory of 1760	4460	omsecor.exe	92
PID 1760 wrote to memory of 4152	1760	omsecor.exe	93
PID 1760 wrote to memory of 4152	1760	omsecor.exe	93
PID 1760 wrote to memory of 4152	1760	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\7ef092f354daab7b00db699700f21d30658bd89a9d3fc9b7ac0688cdf563bc02N.exe
"C:\Users\Admin\AppData\Local\Temp\7ef092f354daab7b00db699700f21d30658bd89a9d3fc9b7ac0688cdf563bc02N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
56304f73a1aa61eb1a90f982e6710615

SHA1
e836f43cfea63e4d2a0d085fb4ac10acbb7c3769

SHA256
e08c9555f37d886a2222577c8ae95443cc8ed0ac1bac44191f21676be1746e0e

SHA512
c3855ff1ab6c0393b308a29e58bdd5d6256bd91bca5e21bea0355fc63f76a8ee4561ff29777deb09ecccbaf69f24f0195740f817cb9a4636d5f5c11c5ea00dee

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
a9498410668670ba21e34dec02696cee

SHA1
634ea5a14d89b6e4cf28d9acbcb670cbff3f4c0a

SHA256
5bbafd942442b42ad03c790518f8a24975c093224d66353f49c3d58146215ab6

SHA512
10a97092358016c28df01b9acd5ef27b0bc60e320d75df49f2253a8b3afee17e04e60f9ab5692fb8fc8f841db23dc030c9f270709f0d22d6ac8b6ad02e8ac7ff

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
3b345d09fdc1fd7eb125ba827e58be62

SHA1
a53d1cd0289f924f94e2333ddb09581e7b733132

SHA256
4a0e78634d737b824596d111516396b3034f8a5933cfc6b67ffc5ef3bf9d1fd4

SHA512
ee7b48974214956a0599b2801bb79b859c271f561388c6ce24ee3e6e3d3ea8e9e4dee16586c2146fc457236e7d9ab293f0bcdb4b91cc6f71046d173c739410cf

Download Submit