neconyd | e1caa22d8e22e0fb18a02f3f9910643ef9d84a40b93f6b456c243217ff532333

Analysis

max time kernel
115s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1caa22d8e22e0fb18a02f3f9910643ef9d84a40b93f6b456c243217ff532333N.exe
Size

71KB
MD5

b0c8c1254d019f91b0de53fd83e2e3f0
SHA1

2691422a374d6f503a5f19577963c40f7b266ebb
SHA256

e1caa22d8e22e0fb18a02f3f9910643ef9d84a40b93f6b456c243217ff532333
SHA512

088962a81cfa4584eeeb71fb7b8c16b6ac76f65bc0cfa9f625d0ad2698bf63e279375c78ed5b4a179e10b5b85b88b228547f9abda8e66d36adfff56c507e7372
SSDEEP

1536:bd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:rdseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
3648	omsecor.exe
2540	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1caa22d8e22e0fb18a02f3f9910643ef9d84a40b93f6b456c243217ff532333N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 3648	3644	e1caa22d8e22e0fb18a02f3f9910643ef9d84a40b93f6b456c243217ff532333N.exe	85
PID 3644 wrote to memory of 3648	3644	e1caa22d8e22e0fb18a02f3f9910643ef9d84a40b93f6b456c243217ff532333N.exe	85
PID 3644 wrote to memory of 3648	3644	e1caa22d8e22e0fb18a02f3f9910643ef9d84a40b93f6b456c243217ff532333N.exe	85
PID 3648 wrote to memory of 2540	3648	omsecor.exe	105
PID 3648 wrote to memory of 2540	3648	omsecor.exe	105
PID 3648 wrote to memory of 2540	3648	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\e1caa22d8e22e0fb18a02f3f9910643ef9d84a40b93f6b456c243217ff532333N.exe
"C:\Users\Admin\AppData\Local\Temp\e1caa22d8e22e0fb18a02f3f9910643ef9d84a40b93f6b456c243217ff532333N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
c25bc798874c6e73e9f61cf5d6168dfb

SHA1
fa603b8041c897c19b1367991a163d8bff6d8e31

SHA256
1300ff371f34d366efce72c322c9381317ce39168dce31417df89be08be46e9b

SHA512
1eba10ceec01c3271ee3b65a3454335c5e9627e4d473b4157b6428f50b95d127c5ad14023d60b06b646d046336f473cd585e8c605491982eebb25812d5bd0caa

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
2fac534bd29f3d482491df7ad834a163

SHA1
25896b77f84adb921c9b8fbafde8b1a332dcacb3

SHA256
04f5248379de95ac5bca96a0d3400ee7f92ac1720bf69c3e81ff474f622f41e8

SHA512
6a0ed86eaab6cd0f70b5ecf7d3000abad6f8c1e8e2c5ee1c24c9ebd91f257459f3fcd5c8a4f6c81e62ceafc966e684935529a91095971ae99c651345df0bab36

Download Submit
memory/2540-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2540-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3644-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3644-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3648-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3648-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3648-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download