neconyd | e5953cd698703b3157300822048564b17619639d642b8a79b851d35f041d4662

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2024, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5953cd698703b3157300822048564b17619639d642b8a79b851d35f041d4662N.exe
Size

90KB
MD5

d803f404390009add7e68a9ab12c6370
SHA1

b815045b59aed569296395e96a8ced9f677d592c
SHA256

e5953cd698703b3157300822048564b17619639d642b8a79b851d35f041d4662
SHA512

67eed2158d3f0793bf6436e867d62833ef89396ef20574cff8104580ff5c6af1db7904daf2bf9726686474bbeaa181eb3adb3f26fa5852d054d317e04374ab24
SSDEEP

768:tMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA:tbIvYvZEyFKF6N4aS5AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3348	omsecor.exe
3916	omsecor.exe
1176	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5953cd698703b3157300822048564b17619639d642b8a79b851d35f041d4662N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 3348	1656	e5953cd698703b3157300822048564b17619639d642b8a79b851d35f041d4662N.exe	81
PID 1656 wrote to memory of 3348	1656	e5953cd698703b3157300822048564b17619639d642b8a79b851d35f041d4662N.exe	81
PID 1656 wrote to memory of 3348	1656	e5953cd698703b3157300822048564b17619639d642b8a79b851d35f041d4662N.exe	81
PID 3348 wrote to memory of 3916	3348	omsecor.exe	91
PID 3348 wrote to memory of 3916	3348	omsecor.exe	91
PID 3348 wrote to memory of 3916	3348	omsecor.exe	91
PID 3916 wrote to memory of 1176	3916	omsecor.exe	92
PID 3916 wrote to memory of 1176	3916	omsecor.exe	92
PID 3916 wrote to memory of 1176	3916	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\e5953cd698703b3157300822048564b17619639d642b8a79b851d35f041d4662N.exe
"C:\Users\Admin\AppData\Local\Temp\e5953cd698703b3157300822048564b17619639d642b8a79b851d35f041d4662N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
1b91a0c092eab290cb912b0bc9a10a56

SHA1
3a0657d677a67a4ae16abcda7a36dfd96e6b0694

SHA256
afef9753cd6ffab79a13f123b15b94a300438c1c74d47073f953b6a6b203047f

SHA512
3cd7bf105c7715dfd4788044d7f5dd69c171af97081e7b7867a8c1f34899a5606794dea446fba974d5bf89217ad5b8eda1c0938383ba85ff4250e26e3feb9e51

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
203f1149640dbfde233161486df61a44

SHA1
c82793325fb1dd2cc41f56ce7d817ba908966d98

SHA256
a2be7ec02da308b69ce9089df9896edbab677a6f5a9df3fd77987d31c5868a2d

SHA512
e3a4686fa6ade1ee46789bf085eaaefa2361ba627930e27d6d1dca624d2beb70071740d2ef5b57685b8e292cdc5378b580859037378e77988cb74e2c3edc797d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
09e8a901ebd4371ddcb8e672bbc7e9be

SHA1
688f363f3b2ae0929db94b14d05843a6f8546b31

SHA256
c8262ad6be2efd9f4f84d103a356714a7e6049e6be431de5dc7c5adf80a231ae

SHA512
a98fed076afb681ac62931e7bb1528c303a3491de46fb9006f843ccd30c25c729fc71fed83489bb58690ef49fe2b8b6b42a38bc93f9b60d4d533b02f682b01bf

Download Submit
memory/1176-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1176-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1656-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1656-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3348-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3348-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3348-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3916-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3916-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download