neconyd | 8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe
Size

76KB
MD5

d87fe9002df21cbc668639c043c22a79
SHA1

48681954230dad6bd85cc485cea7f0381668cffa
SHA256

8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d
SHA512

6d5cd64e8570090f22cbbb47fd9a386ba86456cf6c29ecd40c37e450cf7c037e75e6388a107bf1fb0fa8033c38534b997ad1022d0caf2a5a3c426d9b45b68474
SSDEEP

1536:dd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11L:VdseIOMEZEyFjEOFqaiQm5l/5w11L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2364	omsecor.exe
1376	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
2640	8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe
2640	8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe
2364	omsecor.exe
2364	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2364	2640	8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe	30
PID 2640 wrote to memory of 2364	2640	8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe	30
PID 2640 wrote to memory of 2364	2640	8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe	30
PID 2640 wrote to memory of 2364	2640	8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe	30
PID 2364 wrote to memory of 1376	2364	omsecor.exe	32
PID 2364 wrote to memory of 1376	2364	omsecor.exe	32
PID 2364 wrote to memory of 1376	2364	omsecor.exe	32
PID 2364 wrote to memory of 1376	2364	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe
"C:\Users\Admin\AppData\Local\Temp\8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
1a7747c43f875e352cdb2bbecd2e6199

SHA1
76f5132997f9fcc469066d54db38291f48f86d22

SHA256
b521a35c2b53fabeac143f0376bd63c8bc574751a41b0e35f9116efe9a56be69

SHA512
926d214e62ba3909820cd7dd436a1264ee348705e006d0efc8f859b4c0078774d0b261b9edb7942545f145ea1dfbdd23694a6456c9a728a44e06a470c5d99f36

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
34fcf7a87854a26feb97edf632a57612

SHA1
9e499f0d236f3b624093932b830b5973525a1f1d

SHA256
3cddd6fdcf1757c755b00a2ae7917db7e1b44f4f87b8a47c2c60a573f94caccc

SHA512
58b040b7e63b253cd0d4e2fd75d24f210bf1f39af53c96d5951697ab82386434a5764ee57d93603b1da337fe565d5c76b21777b057de5bb1e62e30b6cb8f377e

Download Submit
memory/1376-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2364-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2364-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2364-17-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2364-23-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2364-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2640-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2640-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download