neconyd | f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f

Analysis

max time kernel
114s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe
Size

92KB
MD5

da37ab0901d58393f58440b8fd04e921
SHA1

46a9d071e6560b02abf7b23c4526cb04062bfdcf
SHA256

f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f
SHA512

3120842780a03c756b8a07ab04411916cf926249028954eae7713b38043e4af09cadd3dc493a41c084421f5a8bd869d8b3885a203353fcb9d6f9e3b08e507d96
SSDEEP

1536:Yd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5f:odseIOyEZEyFjEOFqTiQm5l/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3268	omsecor.exe
936	omsecor.exe
3136	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 3268	1268	f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe	83
PID 1268 wrote to memory of 3268	1268	f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe	83
PID 1268 wrote to memory of 3268	1268	f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe	83
PID 3268 wrote to memory of 936	3268	omsecor.exe	102
PID 3268 wrote to memory of 936	3268	omsecor.exe	102
PID 3268 wrote to memory of 936	3268	omsecor.exe	102
PID 936 wrote to memory of 3136	936	omsecor.exe	103
PID 936 wrote to memory of 3136	936	omsecor.exe	103
PID 936 wrote to memory of 3136	936	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe
"C:\Users\Admin\AppData\Local\Temp\f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
41d4026623c4180d8ed8fd350681c6a7

SHA1
45cf961995b3c45e441ced78f88115e3cad61009

SHA256
818188afa3ee52a7ad98b5ccfe1877bfe8f840b5224b3f08cfe5cf9bf40b78af

SHA512
504f7443d44ec7458667de6abee1dcdd2c05cfcb0f3ca44be7b2acf905de73e7b074c761e28b67f6f151175cf46be8a266326efd60d18b58d4db693a2a58794a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
91e9ca76897a2fa0aa60105d9b50d75d

SHA1
1c4eeb3157c53f621e139f5afcc6fcff23fba556

SHA256
f33218cb8f6888f05b2fc5bc4a767b80cf55fcd66a330b685c8a9506d00c6322

SHA512
67cf079b5cb36a335ae8fd4a5dffcf54cabd4d1b29f1317a92d7a3c8d499d83500ff87877ca7357a9f002ee822f1093e1365b8e0257cfb17d0b6173e9a3d2e30

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
7ba55e2286be73a4de5623d0f542267d

SHA1
164126826db1853de6dd77653ee6f6285f2e4933

SHA256
42012f4ce0e4d25e60738a2d1518b46e3d50a1a1294a14a835f0bcba577febaf

SHA512
98daada120cdff50658ac74639b3f0d9d183a912db45aaa869473b0f54601ed3b11b4e6fbc8b8a2510dad136bf63aad07b488aecdb9996f55484fa50c862c9a4

Download Submit
memory/936-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/936-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1268-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1268-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3136-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3136-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3268-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3268-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3268-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download