neconyd | 9da06fc5645e6974ce94884d4a53466451cbba69de2daf075f1f20c1d6feb24a

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9da06fc5645e6974ce94884d4a53466451cbba69de2daf075f1f20c1d6feb24a.exe
Size

4.5MB
MD5

8612aedf06085c5301ffffb80052ad7d
SHA1

a9441faa8469b005ca62300fa7a4ee608e6ad75d
SHA256

9da06fc5645e6974ce94884d4a53466451cbba69de2daf075f1f20c1d6feb24a
SHA512

d9c562671b344c902d70cfb1258900a9d2a2fc7c20eab99a8e6a1669843f29e77a4327f6784def624bf98b48120d8c9d1dc7440853d3ec2a120fe9498c7d9037
SSDEEP

24576:T9Z9yn0hTZrIbAEu8CkB7mA5yupIIKQS9YRXT8HU/ny5U5DBP:BKnuTZh8JUUyJCS9CXT8EnysR

Score

10^/10

neconyd discovery trojan

Malware Config

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2296	omsecor.exe
3848	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9da06fc5645e6974ce94884d4a53466451cbba69de2daf075f1f20c1d6feb24a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 2296	4528	9da06fc5645e6974ce94884d4a53466451cbba69de2daf075f1f20c1d6feb24a.exe	83
PID 4528 wrote to memory of 2296	4528	9da06fc5645e6974ce94884d4a53466451cbba69de2daf075f1f20c1d6feb24a.exe	83
PID 4528 wrote to memory of 2296	4528	9da06fc5645e6974ce94884d4a53466451cbba69de2daf075f1f20c1d6feb24a.exe	83
PID 2296 wrote to memory of 3848	2296	omsecor.exe	98
PID 2296 wrote to memory of 3848	2296	omsecor.exe	98
PID 2296 wrote to memory of 3848	2296	omsecor.exe	98

C:\Users\Admin\AppData\Local\Temp\9da06fc5645e6974ce94884d4a53466451cbba69de2daf075f1f20c1d6feb24a.exe
"C:\Users\Admin\AppData\Local\Temp\9da06fc5645e6974ce94884d4a53466451cbba69de2daf075f1f20c1d6feb24a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
4.5MB

MD5
c0a666b8b58760cff0517bab64eb4a8c

SHA1
4a527a64174123e368de51d61ca4ea75e8984bda

SHA256
12421e21ef191af505d09bcdd8c11184eee0e2e18ab2986876ccb7337c14518a

SHA512
6b61b2bb1f0f1776f479c9d291efc9b4a3e2de21935a7a3028ae4755999c72efe140ccafc30dfb15222533de42ca22e5350f42317379ea992fb3d8e0803c5bd8

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
4.5MB

MD5
1621571e6eff3e637306e62313f2d9e6

SHA1
af0655e2f104c8c34594186a314a76538341f118

SHA256
8198c9ad2b8f2b842e7c3622dfb3e913b1227291c2a6ee0c365c98e182411770

SHA512
3cca3a20e3d0e3cc1e7d3c8b6b4ae2fc08c8d445b93cbd0086b368e565bc6b43693a7da03e409647c94828fcb212e546c29910e32ce436ebcbd0526a69f102d6

Download Submit