neconyd | 5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2024, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe
Size

84KB
MD5

4ee95df8b9ce1fbb4655482f0ac56717
SHA1

8ff3cb08e445648e51272aebac9f81dc26001c99
SHA256

5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38
SHA512

f8afb346d8465e8f2d55487327c6d303d02898d79e006386929933fa93fb62be5ba291932c82a6fea732ed52d6799b761ec9f9c32776753a79846df1af4fd5a0
SSDEEP

1536:od9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:YdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2948	omsecor.exe
4092	omsecor.exe
3944	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 2948	4288	5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe	83
PID 4288 wrote to memory of 2948	4288	5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe	83
PID 4288 wrote to memory of 2948	4288	5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe	83
PID 2948 wrote to memory of 4092	2948	omsecor.exe	99
PID 2948 wrote to memory of 4092	2948	omsecor.exe	99
PID 2948 wrote to memory of 4092	2948	omsecor.exe	99
PID 4092 wrote to memory of 3944	4092	omsecor.exe	100
PID 4092 wrote to memory of 3944	4092	omsecor.exe	100
PID 4092 wrote to memory of 3944	4092	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe
"C:\Users\Admin\AppData\Local\Temp\5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
f1d590db9ffd52996d9b5822bb5e9ea8

SHA1
450ec66948b1f3f060c77e231b78aa06772c7b49

SHA256
172796a4e55d715ca350b2a2dd865f864a858597db552953b0b6d239f271ede6

SHA512
33b8f1a3bac461cbe696b919bb495b2e608e7d6026e9d8798a175c9103b80d043be6c8832a7d6e45a86b21f67d5cc8efc5d4231477526e42f6c913d820f50108

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
e575c98a0d263d101b7642279b17f62f

SHA1
a043a79c9ead9b095c6a0323eb993862402c011b

SHA256
ebed1f8e75107c61f084c8a3e2ca1487c8f839d125c93782ff7069ccd77f5c9c

SHA512
2f27bf1f214cc3ed35578d6a8268c5b45d5fe405c9d996a9f9dea26c95a073cadf1237bfd0002146492d4b58525e9ec116edcb9854d12c7b951514589064e9d5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
f62066327d059c6066635f1dba9384ed

SHA1
9801146246f54fa549f2db3c0d51f1fa0e99cce3

SHA256
f84cc5fbc90e91e58fe5a3082b7a3f2f6d67a496db0ccc0c218903b3cd9d4430

SHA512
e750a227ca3255fdf76666f855de76985c1788e7b3e37c509e58a819bb5b5f3593e25fac549fd26a822f937a35f9bd7944b38f1104db2664e7f6bd101d3780e7

Download Submit