neconyd | 2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe
Size

61KB
MD5

99994b1679375a2ac43a437ef21d6f72
SHA1

301112fb37cf91a55e1c956370e0c08d85435ca6
SHA256

2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea
SHA512

cfa36e00f4c2a94038cf55270e311c951fec2df94640ab72e1e4a3958f45f5e3829da05ea2bee3343f08f9d855c9809e3e2221ad303b1f01d0b4e20cb45d62e0
SSDEEP

1536:5d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:ZdseIOMEZEyFjEOFqTiQmil/5P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4732	omsecor.exe
2616	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4732	4588	2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe	82
PID 4588 wrote to memory of 4732	4588	2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe	82
PID 4588 wrote to memory of 4732	4588	2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe	82
PID 4732 wrote to memory of 2616	4732	omsecor.exe	92
PID 4732 wrote to memory of 2616	4732	omsecor.exe	92
PID 4732 wrote to memory of 2616	4732	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe
"C:\Users\Admin\AppData\Local\Temp\2706bf3c9be1012662c48ca1298db668469149de0099739add6501368fddaaea.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
d8c73e90c500bc02d2534ffd26ea4407

SHA1
4ae1cb907d3e00a0b748ea372dce7824e83919d9

SHA256
012d95213f4fdf4774bb22e9cd84c47211bae56cd32faf92de2d888615a01b42

SHA512
ee53f4b4d16f04f714581fb1ca4df9e7d35e5e258cb8701ea8163eb64d2849eb91a83999ce86e0ef3136260a1b5edbb302a5019956f6e3060808930b477112e2

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
295c040b27bac0cc16ffd6605ffffc4f

SHA1
2396457ff97bd728bb87ce12dcb00c29dba43a3d

SHA256
f714425e898febe758ce0325406b0d80b1e48b462dfc448ecc7f40be5311f721

SHA512
329658fb4bda807efede0f8a7b9a527e0384b6a94761641c426c09dff05741cfa4e55422a7a61654b6b04bdb1ea399f6348a19ef3c518cc270b9081fceec9967

Download Submit