neconyd | 5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe
Size

84KB
MD5

4ee95df8b9ce1fbb4655482f0ac56717
SHA1

8ff3cb08e445648e51272aebac9f81dc26001c99
SHA256

5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38
SHA512

f8afb346d8465e8f2d55487327c6d303d02898d79e006386929933fa93fb62be5ba291932c82a6fea732ed52d6799b761ec9f9c32776753a79846df1af4fd5a0
SSDEEP

1536:od9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:YdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4372	omsecor.exe
4072	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 4372	1544	5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe	82
PID 1544 wrote to memory of 4372	1544	5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe	82
PID 1544 wrote to memory of 4372	1544	5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe	82
PID 4372 wrote to memory of 4072	4372	omsecor.exe	92
PID 4372 wrote to memory of 4072	4372	omsecor.exe	92
PID 4372 wrote to memory of 4072	4372	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe
"C:\Users\Admin\AppData\Local\Temp\5dc8b5e5e90f742b722dbdaba5d781058fe0cf86ab4baa773bb2652b03373e38.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
e575c98a0d263d101b7642279b17f62f

SHA1
a043a79c9ead9b095c6a0323eb993862402c011b

SHA256
ebed1f8e75107c61f084c8a3e2ca1487c8f839d125c93782ff7069ccd77f5c9c

SHA512
2f27bf1f214cc3ed35578d6a8268c5b45d5fe405c9d996a9f9dea26c95a073cadf1237bfd0002146492d4b58525e9ec116edcb9854d12c7b951514589064e9d5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
495457581be226df487d4bd81170fc89

SHA1
9f87c2a335d78c7984b1ff4ded30aa5d3b628e9e

SHA256
f1ccb9dd4bd07211b39604cf345be2ce11813e0d18b5e892b6f7908ba4ad5f9d

SHA512
c0b6e47c8397285c8390f694edbd3bb9f5119d953ca7ed4eeaf4b05f013244ae2c9cac099d0eabc8bc3bf26ea37bf3389a3923d841c593c7b682fac1e570393f

Download Submit