neconyd | befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe
Size

61KB
MD5

0dba0775cc9b5926f94321ce001ee641
SHA1

bf65e0f7a8ec59dcb41f18ec8b3ecd491e17732a
SHA256

befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2
SHA512

0ee85611fa9fabdcb2c8ad1480b827726f283c2f93f1ef44d21ad47a35487eab27c5c8e24c3d7bf2d220f16752d15c446fcf294f905628d0a9478f02f9f13692
SSDEEP

1536:Sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZWl/5l:idseIOMEZEyFjEOFqTiQmUl/5l

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
840	omsecor.exe
4900	omsecor.exe
392	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 840	440	befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe	83
PID 440 wrote to memory of 840	440	befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe	83
PID 440 wrote to memory of 840	440	befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe	83
PID 840 wrote to memory of 4900	840	omsecor.exe	97
PID 840 wrote to memory of 4900	840	omsecor.exe	97
PID 840 wrote to memory of 4900	840	omsecor.exe	97
PID 4900 wrote to memory of 392	4900	omsecor.exe	98
PID 4900 wrote to memory of 392	4900	omsecor.exe	98
PID 4900 wrote to memory of 392	4900	omsecor.exe	98

C:\Users\Admin\AppData\Local\Temp\befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe
"C:\Users\Admin\AppData\Local\Temp\befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:440
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e788664c4746dc769e5db97412c6f54d

SHA1
3de0b6f0462c81c703e170b174902e005fb68160

SHA256
43ad1fbfa7dfc7f80d18b24675581a9a1c296f19da16c221f3183edf244406ef

SHA512
efbe9e5a724c60ee436556855ba9a03d46e1025966a8f07f1549fdbff26b41b5463119de9e1dd4f89e5a34f2e415aff61f2b84ee48d03d2df8eaaef94227f123

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4e9b2fb8c4e3eb9450f9ebe81f5ac15d

SHA1
0e4178bdadaee6a44f44b0a712236246e89ff4eb

SHA256
4eca7368eeb58ac6474cbc9e2da60904a01214e6d1b9891f77b06d8493a73fcd

SHA512
ccddcd20d0f7954b584b6f3d08f688d755187668619ed3f729e53e919728d222f9b16db8e978010373303f0cdd58beac93ed22ab058b62f0f9bb8082bd1c3be2

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
1869cdec5c98d2628e838f16a66bfb1d

SHA1
1f4c8932bdfb14dee9eda670cbaf2db946bf996c

SHA256
488ae5339c5e8cff552d3481b11c704440ee26d78fa81eea11ee7faa47698647

SHA512
ee1b643c50e1172d8d3b6298298f136eaaf90c1b0cca3942047e38d986c1fbfeab6f5debc2ec14bfd73a66e35915534fa44bc0254c0fd1984a2d6ae4f915cfb8

Download Submit