neconyd | 2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe
Size

61KB
MD5

99994b1679375a2ac43a437ef21d6f72
SHA1

301112fb37cf91a55e1c956370e0c08d85435ca6
SHA256

2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea
SHA512

cfa36e00f4c2a94038cf55270e311c951fec2df94640ab72e1e4a3958f45f5e3829da05ea2bee3343f08f9d855c9809e3e2221ad303b1f01d0b4e20cb45d62e0
SSDEEP

1536:5d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:ZdseIOMEZEyFjEOFqTiQmil/5P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
1300	omsecor.exe
1960	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
2044	2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe
2044	2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe
1300	omsecor.exe
1300	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1300	2044	2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe	30
PID 2044 wrote to memory of 1300	2044	2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe	30
PID 2044 wrote to memory of 1300	2044	2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe	30
PID 2044 wrote to memory of 1300	2044	2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe	30
PID 1300 wrote to memory of 1960	1300	omsecor.exe	33
PID 1300 wrote to memory of 1960	1300	omsecor.exe	33
PID 1300 wrote to memory of 1960	1300	omsecor.exe	33
PID 1300 wrote to memory of 1960	1300	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe
"C:\Users\Admin\AppData\Local\Temp\2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
d8c73e90c500bc02d2534ffd26ea4407

SHA1
4ae1cb907d3e00a0b748ea372dce7824e83919d9

SHA256
012d95213f4fdf4774bb22e9cd84c47211bae56cd32faf92de2d888615a01b42

SHA512
ee53f4b4d16f04f714581fb1ca4df9e7d35e5e258cb8701ea8163eb64d2849eb91a83999ce86e0ef3136260a1b5edbb302a5019956f6e3060808930b477112e2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
28ba9f0cccf8d81661946f477c72b3b1

SHA1
c6ba9c621970144dccfaa3980ee99124f3e21d5f

SHA256
4a792ec8ac38923ffba6f0bd712ae68efbf9474bb1aad99eeff353c6cbee706b

SHA512
1ee31a33eff68c3ff693b9a246bd3d5de71a44b4e0907e20b5ec0dbb950a6adc9727b8e6106ef2e73909edddfef1152650f7b4ec1529a826a8ea6520d5775a66

Download Submit