neconyd | 80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89ed

Analysis

max time kernel
115s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe
Size

248KB
MD5

46646200127933eb608f6b5e323ab540
SHA1

553b2377ba405e07894359cfd2a730ef3195b17d
SHA256

80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89ed
SHA512

43941d3eff3d38c0b02b0cd453b4a95b7ae6311776935d64b65b4cb1e7cd2b6ca10a49a164a1944ccedf5f8593a10100dd571392a1f9fc5777180838743b6de1
SSDEEP

1536:I4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:IIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4952	omsecor.exe
4176	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1216-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000c000000023b31-3.dat	upx
behavioral2/memory/4952-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/1216-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4952-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000c000000021a70-10.dat	upx
behavioral2/memory/4176-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4952-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4176-14-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 4952	1216	80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe	83
PID 1216 wrote to memory of 4952	1216	80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe	83
PID 1216 wrote to memory of 4952	1216	80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe	83
PID 4952 wrote to memory of 4176	4952	omsecor.exe	104
PID 4952 wrote to memory of 4176	4952	omsecor.exe	104
PID 4952 wrote to memory of 4176	4952	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe
"C:\Users\Admin\AppData\Local\Temp\80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
eba9f19f544fd55833dc5aeba50492be

SHA1
a35a25e0d5654d6509fb60fcc70f86228c93a036

SHA256
648ca124e69c2dce63cdb465defe7b945564b36ee819b1faecb861a4231b8290

SHA512
591416f6c48d02bf9b2593a9a90f251589b98f7b5ad7b39f08f92f7e3e468abbc0cbd18b35004ffc17745e299082ea5ebb598e898bc985b2fd40770f0ecaca2d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
dd94c992f553603d15b0c549c0cd3ee0

SHA1
a4ce5be42b237f14557fcb8b10c615f698e32e76

SHA256
026c1b0286fcfee0598c52b6d86945faa22c8e2b38157abc0ef8c59dd25ba04e

SHA512
cb500de2b1ae8973180efcfe681ec379f29521d7871ddac133e30be3489c15f0dc58d93e701100fbb08b7be7b0da495b727828f4bb707995d971439e10fc3b4e

Download Submit
memory/1216-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1216-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4176-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4176-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4952-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4952-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4952-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download