neconyd | b70170976ad6b720a625f3848c310c7b8b3149b5b50a230bad88c18f324ea193

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b70170976ad6b720a625f3848c310c7b8b3149b5b50a230bad88c18f324ea193.exe
Size

61KB
MD5

91414c25f74b6ac3dfb1e3f36f94b640
SHA1

f206b328bc8ec8f65cb241253c358f4287f96aaa
SHA256

b70170976ad6b720a625f3848c310c7b8b3149b5b50a230bad88c18f324ea193
SHA512

fd92841e8bdb2576adcb7a3029a3e33d20d7075a99863e179452c62ef0a2f77736a1f02779358521db0a92ccc12ce5234f6ef4592d00c43bee88c3db42828fa6
SSDEEP

1536:td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:FdseIOMEZEyFjEOFqTiQmil/5P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2936	omsecor.exe
2232	omsecor.exe
1720	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b70170976ad6b720a625f3848c310c7b8b3149b5b50a230bad88c18f324ea193.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 2936	4340	b70170976ad6b720a625f3848c310c7b8b3149b5b50a230bad88c18f324ea193.exe	83
PID 4340 wrote to memory of 2936	4340	b70170976ad6b720a625f3848c310c7b8b3149b5b50a230bad88c18f324ea193.exe	83
PID 4340 wrote to memory of 2936	4340	b70170976ad6b720a625f3848c310c7b8b3149b5b50a230bad88c18f324ea193.exe	83
PID 2936 wrote to memory of 2232	2936	omsecor.exe	96
PID 2936 wrote to memory of 2232	2936	omsecor.exe	96
PID 2936 wrote to memory of 2232	2936	omsecor.exe	96
PID 2232 wrote to memory of 1720	2232	omsecor.exe	97
PID 2232 wrote to memory of 1720	2232	omsecor.exe	97
PID 2232 wrote to memory of 1720	2232	omsecor.exe	97

C:\Users\Admin\AppData\Local\Temp\b70170976ad6b720a625f3848c310c7b8b3149b5b50a230bad88c18f324ea193.exe
"C:\Users\Admin\AppData\Local\Temp\b70170976ad6b720a625f3848c310c7b8b3149b5b50a230bad88c18f324ea193.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
d10c69541853fc3bea3f53c0ade25bfd

SHA1
15334180abd30ac3de91d50ceec9262c9a053839

SHA256
fa452478aaab574e49aebc1dfbbe4e69a386e6bb408304e66c7c37a86b3f5602

SHA512
188a335b93240205256eab5857914c7f79757a456b772f3417fa522ac8b4735f635aee2348f14699ab59bbba361541aaa2a350265f320f3bed58617d5e8a99c8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
5fd34444aa95d3b325e6fbd22a84e52b

SHA1
9fc044489e9ca1ad3cd494b73d62af6c30a84789

SHA256
e03504b935feccbbd2b19b910af8f494e88775f7227b9dea6031041f6b404207

SHA512
31bd50801bfcdd690d3c2235d679d89b590810e0f27c3d9efcf6c5055e774b1d8ac393128d4cbef6956b7a733a3f648822e85a09c1f15f55cf6f7e317a7c5986

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
5b0f56523a825dc2176ed9fe719e7027

SHA1
65e51cc257f012f7646b67a4b017614378b50294

SHA256
2bc947ffbd29bb0787f30a1a00de8c3a60cd4c7d1fcb7fcd168dd61f642b65a5

SHA512
0cc23997d81a3e17b9b9baa87fc88e20112fece8470a04f70843f3132ddfb289603a1d121c94c19cc9cec920e6f4386a5acf22fbf6455bbd64206f3846cf6c09

Download Submit