neconyd | 68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe
Size

92KB
MD5

587b6d81e23b25972132a72f2bb24d17
SHA1

dfff9825cbe8dcdfd2792990b7ad0cd9922a5b5f
SHA256

68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399
SHA512

11023f3a3e2c771d18a0f40313e230b035004a3df2691838fb47b2b31f7f5d01b23cae68b60d21e87c261f4ad4f5d4d7eb61c7bef5eed8e48199af922619e223
SSDEEP

1536:5d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:ZdseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
5068	omsecor.exe
4396	omsecor.exe
2068	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 5068	1612	68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe	82
PID 1612 wrote to memory of 5068	1612	68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe	82
PID 1612 wrote to memory of 5068	1612	68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe	82
PID 5068 wrote to memory of 4396	5068	omsecor.exe	92
PID 5068 wrote to memory of 4396	5068	omsecor.exe	92
PID 5068 wrote to memory of 4396	5068	omsecor.exe	92
PID 4396 wrote to memory of 2068	4396	omsecor.exe	93
PID 4396 wrote to memory of 2068	4396	omsecor.exe	93
PID 4396 wrote to memory of 2068	4396	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe
"C:\Users\Admin\AppData\Local\Temp\68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
92fad621acb9f32993aea0804d3929c3

SHA1
6cc9bb63ff0af1a45d97d7594fac3ec787b1f4e8

SHA256
67f2ccd0a55820c40cf186a6251445526f981be83c19af897339c35676ae9521

SHA512
f806981f1989ee62c5c93e7d5c58702a062f241b853236bc111e4051a2694d828c79fef7df6f193bcaf5439cc3b3a54014041a13bdbcb15f1be64d2974d3e1ed

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
d75fa29c872c683fe0e2fa4963dc1754

SHA1
c6c5d9bc6e58604a488d3c35b449593cb41e0c7c

SHA256
7af5941911e04475e969b4dce5c0dfd8c00e261294614c084e58e0ff71c50950

SHA512
fb5d1780fc957c36b8731a79ad668447d89f4d22c50007abc7c1f3b1e308dc90104692da36dce1b9eea120288c9f7543f5824050a935ea2a649fad667b7811e2

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
b23961005367eb0ad3418efc4b34cab4

SHA1
6493c70946b536ceb962649e67279565614a31ca

SHA256
ebd3d9724cabdd7f7dbfd61f8e98b572d6901c228bf1b9b2c4bf3998d61aaf78

SHA512
a184b612208b396ff9d899cd8339dcc794bf9b402330c1d05cf8ba52c69d4634e9334d67a19c0ef1ecb0ce8c36b2d059d96726ab6b351541c5561b23eb6ae0fa

Download Submit
memory/1612-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1612-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2068-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2068-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4396-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4396-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5068-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5068-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5068-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download