neconyd | 8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe
Size

76KB
MD5

d87fe9002df21cbc668639c043c22a79
SHA1

48681954230dad6bd85cc485cea7f0381668cffa
SHA256

8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d
SHA512

6d5cd64e8570090f22cbbb47fd9a386ba86456cf6c29ecd40c37e450cf7c037e75e6388a107bf1fb0fa8033c38534b997ad1022d0caf2a5a3c426d9b45b68474
SSDEEP

1536:dd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11L:VdseIOMEZEyFjEOFqaiQm5l/5w11L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4720	omsecor.exe
1172	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 4720	1284	8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe	83
PID 1284 wrote to memory of 4720	1284	8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe	83
PID 1284 wrote to memory of 4720	1284	8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe	83
PID 4720 wrote to memory of 1172	4720	omsecor.exe	105
PID 4720 wrote to memory of 1172	4720	omsecor.exe	105
PID 4720 wrote to memory of 1172	4720	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe
"C:\Users\Admin\AppData\Local\Temp\8af889a36b8cb2843d3d694c2eb8dbc01b46c4d9c762b03b892af75cd358520d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
1a7747c43f875e352cdb2bbecd2e6199

SHA1
76f5132997f9fcc469066d54db38291f48f86d22

SHA256
b521a35c2b53fabeac143f0376bd63c8bc574751a41b0e35f9116efe9a56be69

SHA512
926d214e62ba3909820cd7dd436a1264ee348705e006d0efc8f859b4c0078774d0b261b9edb7942545f145ea1dfbdd23694a6456c9a728a44e06a470c5d99f36

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
f6c918db15fbce7cc46f25f0ad26c8b9

SHA1
adb50d2e541bd707662bf795961cd7a39074ec6a

SHA256
32c88eca7708ed49efe739a0aa60348bf050e28e729eb7db1f31f608ba94f4d4

SHA512
b2739b3f9778096f1f79fb2b05d0abc66702e01e58df32e3cbc2c80c786ddaa998e5e460b98ddaae9e62acd25e4db8c825ca0447c5ec67d0702372b2cdc4e80d

Download Submit
memory/1172-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1172-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1284-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1284-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4720-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4720-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4720-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download