neconyd | e63d11953e9f0e0bbcdd29703739f98b99ac3ad7e3d1c75a6ee716d596b577eb

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e63d11953e9f0e0bbcdd29703739f98b99ac3ad7e3d1c75a6ee716d596b577ebN.exe
Size

80KB
MD5

3ef104808f6e128031a2eabe91778990
SHA1

cf5bf941b64ed6429e0d66b6a7332ee541fcd293
SHA256

e63d11953e9f0e0bbcdd29703739f98b99ac3ad7e3d1c75a6ee716d596b577eb
SHA512

6f56d3acd2e09eb925f742346930e63d4a8c90ea51918a698ab9cf6561bccbf6cc2d990b5b3703359bb2a9f83d3dbfb1d6d0194bc431deeedc5f05f4cd3c5490
SSDEEP

768:qfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:qfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

3396 omsecor.exe
4292 omsecor.exe
452 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
3396	omsecor.exe
4292	omsecor.exe
452	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

omsecor.exeomsecor.exeomsecor.exee63d11953e9f0e0bbcdd29703739f98b99ac3ad7e3d1c75a6ee716d596b577ebN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e63d11953e9f0e0bbcdd29703739f98b99ac3ad7e3d1c75a6ee716d596b577ebN.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e63d11953e9f0e0bbcdd29703739f98b99ac3ad7e3d1c75a6ee716d596b577ebN.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 5028 wrote to memory of 3396	5028	e63d11953e9f0e0bbcdd29703739f98b99ac3ad7e3d1c75a6ee716d596b577ebN.exe	omsecor.exe
PID 5028 wrote to memory of 3396	5028	e63d11953e9f0e0bbcdd29703739f98b99ac3ad7e3d1c75a6ee716d596b577ebN.exe	omsecor.exe
PID 5028 wrote to memory of 3396	5028	e63d11953e9f0e0bbcdd29703739f98b99ac3ad7e3d1c75a6ee716d596b577ebN.exe	omsecor.exe
PID 3396 wrote to memory of 4292	3396	omsecor.exe	omsecor.exe
PID 3396 wrote to memory of 4292	3396	omsecor.exe	omsecor.exe
PID 3396 wrote to memory of 4292	3396	omsecor.exe	omsecor.exe
PID 4292 wrote to memory of 452	4292	omsecor.exe	omsecor.exe
PID 4292 wrote to memory of 452	4292	omsecor.exe	omsecor.exe
PID 4292 wrote to memory of 452	4292	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\e63d11953e9f0e0bbcdd29703739f98b99ac3ad7e3d1c75a6ee716d596b577ebN.exe
"C:\Users\Admin\AppData\Local\Temp\e63d11953e9f0e0bbcdd29703739f98b99ac3ad7e3d1c75a6ee716d596b577ebN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
8e521d4ae5debccc144a7937ce1596da

SHA1
32c45f1b7f571708d6c1a9efd0c15060776fadb4

SHA256
0d9ff6a769bcbc1073ff804b3398af868037ddf65af0933473519ccb68961ccf

SHA512
14a207f0e313ce0892a29ee192166ae09bc02b96c8804fb6b55b1b73ed2e76ae53b81db1a41df5251e3481ea511baa4a06691550ad2ba09b8968cf6006eef4ff

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
ff5b34b0de496eeb4a2d2d4f60070c14

SHA1
0fb90890e49d077f1d9926ed16af1445f4f288d2

SHA256
b17f1b4e2a8a08de6349fb90a19f0078051e4bf312f6bb18e38d7fa12e9d53a0

SHA512
b981e8cb4597639e2d1a955bf6c231e618e6daaf36c48a93e0248df000e5c7fc44598c674d1255f2efd920e8ab69983a69d80c581654bc031fa1ea2f5a8442a6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
33de5d3cd2ac9680fd6ca53d3a18beeb

SHA1
9cd6ee7d79b7c585a418bdb1d9ec4d94d98007b1

SHA256
89217378bfcbc4c4f8812266a3dbdb8262cb53fa6fcedcd919b4d96c53b6e56d

SHA512
3db7733ca50b7f214baec2a4221538ab540ec4b3cb1bc63acaa7980b6d91b63c581b53297acac6ceb9783e5cbd91144a9389fd2e72ac03f4a1157bb79f3d4814

Download Submit