neconyd | 1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe
Size

92KB
MD5

f51e4622f42425e5e43cacdc7824a0d0
SHA1

f8bc6469df1716361173bd4281713e0181e8bf57
SHA256

1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3
SHA512

8daf68dda8b1e843b8ab20aaa6f9936635b7a25709ee61f0e0f6c3c1968126368c3c3313e9d4fba6532da2c68126a423f81c74203e9be99f2a85fc495693766b
SSDEEP

1536:Yd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:odseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3880	omsecor.exe
1128	omsecor.exe
632	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3880	2068	1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe	83
PID 2068 wrote to memory of 3880	2068	1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe	83
PID 2068 wrote to memory of 3880	2068	1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe	83
PID 3880 wrote to memory of 1128	3880	omsecor.exe	104
PID 3880 wrote to memory of 1128	3880	omsecor.exe	104
PID 3880 wrote to memory of 1128	3880	omsecor.exe	104
PID 1128 wrote to memory of 632	1128	omsecor.exe	105
PID 1128 wrote to memory of 632	1128	omsecor.exe	105
PID 1128 wrote to memory of 632	1128	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe
"C:\Users\Admin\AppData\Local\Temp\1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
305d597425f5ae5091eab06042842421

SHA1
31063fc845f7e8554d01bdf857101ea39ab0186d

SHA256
6354a10846be0280ff1dd9d8e518ed2016962f8e4cb6ddbe63549ac4b97c0687

SHA512
037d43d81795f8b0089ee62e6e01897bd640040dcaddb7003d53549fc63be991b3f1e448d418dd6ff2ac8fdda6d52c6d8fccf31ba3ca8d3d730de9e3ce292d8e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
1eb0192bf97ddca9f6826edacc3bf9fe

SHA1
bb8e3f725a34d6630944916800dc59e682384be6

SHA256
65b2465034b9c31755c0572e2597a76f01468292e8b64aac0f12b27870bc52ba

SHA512
5920e10eb250ca463d9f8709f53b7aeb12f52a6f61c05a624f1c121d480974329c4a8211d23611777845f1ae1945b3398185d056cd08449d6f350899e1c314cf

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
bea18a2b619d53a51a3e5540fc4e8405

SHA1
d9f2ae42015cf6f74c1bb9d5cb6c5bebfa206ead

SHA256
90427197a8cc6badb0d891593935dabda3eb7000914d95a5dea77d2c4c970348

SHA512
fbec0b0d0ec5c3abc79158be7d51361d47ade1222ccc6701e8f576f8279f827bd05b1d667a594b16fc242fc91e4b33891f8a7392148266e93b1813ef0ef1d15d

Download Submit
memory/632-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/632-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1128-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1128-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2068-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2068-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3880-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3880-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3880-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download