neconyd | cbb7e7b66b2727947d94dbcbd2c6a6dfbdd6b9528644ad4d84b7729b2b19f934

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbb7e7b66b2727947d94dbcbd2c6a6dfbdd6b9528644ad4d84b7729b2b19f934N.exe
Size

80KB
MD5

d42c59f335bb36734807221779d9bdf0
SHA1

3c6b0260d1d83b2ef2e73b33f422f320bc7737c0
SHA256

cbb7e7b66b2727947d94dbcbd2c6a6dfbdd6b9528644ad4d84b7729b2b19f934
SHA512

45feaf191709ac07965596c3a51fb03d3ab1eb41aa1d41607bc707ad0d301fbc98d61c295c7c7b420f516e5a66221d5419059dda0c75c3ed450e2df5fe9ff2f2
SSDEEP

768:CfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:CfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
4136	omsecor.exe
4280	omsecor.exe
2404	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbb7e7b66b2727947d94dbcbd2c6a6dfbdd6b9528644ad4d84b7729b2b19f934N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4136	2540	cbb7e7b66b2727947d94dbcbd2c6a6dfbdd6b9528644ad4d84b7729b2b19f934N.exe	84
PID 2540 wrote to memory of 4136	2540	cbb7e7b66b2727947d94dbcbd2c6a6dfbdd6b9528644ad4d84b7729b2b19f934N.exe	84
PID 2540 wrote to memory of 4136	2540	cbb7e7b66b2727947d94dbcbd2c6a6dfbdd6b9528644ad4d84b7729b2b19f934N.exe	84
PID 4136 wrote to memory of 4280	4136	omsecor.exe	100
PID 4136 wrote to memory of 4280	4136	omsecor.exe	100
PID 4136 wrote to memory of 4280	4136	omsecor.exe	100
PID 4280 wrote to memory of 2404	4280	omsecor.exe	101
PID 4280 wrote to memory of 2404	4280	omsecor.exe	101
PID 4280 wrote to memory of 2404	4280	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\cbb7e7b66b2727947d94dbcbd2c6a6dfbdd6b9528644ad4d84b7729b2b19f934N.exe
"C:\Users\Admin\AppData\Local\Temp\cbb7e7b66b2727947d94dbcbd2c6a6dfbdd6b9528644ad4d84b7729b2b19f934N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
ca47b35cace9210ba8f3b6d3a954206c

SHA1
608ed54d6284da69b24b84d8ff262cc99fb77b49

SHA256
7acd31ab204e09eab91ba3eaa6eaf54dbf52d6b9d5146e9e0a1188da94226d09

SHA512
9eb25b354d7037eca70e790bbece91276dda9b5c6b7f904252a2510a3f002e465cd90b1b8fdcf487c49b111cbceb83c4649914c44513ab3e754a67f95b81c7e2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
a27db7eadaf51274a728588327338f0d

SHA1
b5f1690a3435b4e91b20f542614ab0f1b84225e0

SHA256
06712c25912232c11138f00e655b45623d39c0b01abdfa9b1286616d1ec9d8d4

SHA512
08cb19d927ccc7c00ff7e6a8835be8f9fbdcf05a5c7ffc08f6b727648c356597b59fd3d076fdf6715199d2ab6ded84604f5877882048d7c9985ed9c4653b6138

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
39985733a2746f95d74340bcfa7cf62d

SHA1
8d226ec7fac09c8371ba49dbfe545224de61ec66

SHA256
9f4235cfdbc634cf11539484160ef85c1674f3b7935206fef1c2945e932b74e3

SHA512
3fc9d86b35df30f8813f7340c0fbb0f8cc49b7536ebeefc3803ce2dbf96d97b743f48b188431a9f247648c4ecd3c21a2cdede7e806d671d517cb3bb49f8264a8

Download Submit