neconyd | 65160ab09c829f6b86d9490800dbb3fa6cc00cc4cda575097e5cf8d28d554a54

Analysis

max time kernel
114s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65160ab09c829f6b86d9490800dbb3fa6cc00cc4cda575097e5cf8d28d554a54.exe
Size

63KB
MD5

c034291b01512888c6733929044bdb1d
SHA1

15358430d3620520a07e015b9d5c5291ad244abd
SHA256

65160ab09c829f6b86d9490800dbb3fa6cc00cc4cda575097e5cf8d28d554a54
SHA512

4a6500c39f3154ed565898ed797d2ce167d919160882c7f323091368ebe1c49218505581586b1e9d0f05d30117a3896d24587c717232a993c8c0646d1696cebc
SSDEEP

1536:+d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5E:mdseIOMEZEyFjEOFqTiQm5l/5E

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2500	omsecor.exe
5048	omsecor.exe
1816	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65160ab09c829f6b86d9490800dbb3fa6cc00cc4cda575097e5cf8d28d554a54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2500	848	65160ab09c829f6b86d9490800dbb3fa6cc00cc4cda575097e5cf8d28d554a54.exe	82
PID 848 wrote to memory of 2500	848	65160ab09c829f6b86d9490800dbb3fa6cc00cc4cda575097e5cf8d28d554a54.exe	82
PID 848 wrote to memory of 2500	848	65160ab09c829f6b86d9490800dbb3fa6cc00cc4cda575097e5cf8d28d554a54.exe	82
PID 2500 wrote to memory of 5048	2500	omsecor.exe	92
PID 2500 wrote to memory of 5048	2500	omsecor.exe	92
PID 2500 wrote to memory of 5048	2500	omsecor.exe	92
PID 5048 wrote to memory of 1816	5048	omsecor.exe	93
PID 5048 wrote to memory of 1816	5048	omsecor.exe	93
PID 5048 wrote to memory of 1816	5048	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\65160ab09c829f6b86d9490800dbb3fa6cc00cc4cda575097e5cf8d28d554a54.exe
"C:\Users\Admin\AppData\Local\Temp\65160ab09c829f6b86d9490800dbb3fa6cc00cc4cda575097e5cf8d28d554a54.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
17cdba1ba45db0a92a9da8d96430cdb9

SHA1
cfdedc3dd06425f3bea6fbbf7d7c24b041f83042

SHA256
adaf894de36dff91f8d2f219a6a705371bb7e3cc9e0550b2ad6253068e6f04d5

SHA512
e30d1b223b95d619149ac7beefe04f18429eba5c171a5a55d87f7159b7a37217ba922ee2221e5aa3847bf9e0885d780820288e56b885848527908004da7af3f5

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
57f21365b8a26f82ee3717ee38da474d

SHA1
79904203f56de578f69c2a6385fa5924521448a7

SHA256
8bac21abfe7a5aab0728f1d09f12b13740abc8a8f3496b426d2844f389373cc0

SHA512
f934e4d08e316cfeb5e4140565980ebaeca5c93d2330c1e4523bfb18e28b7efe70a36c92072f55136a66576f28f901160c1b221ef1ce738ba9bff81f44029bee

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
63KB

MD5
dd2156f4d521d82560d2e99d2030f9ce

SHA1
0e4ec45a76a5fa440bd3fc19d1829254f2f0d8c4

SHA256
3a6df68069a642756fa664d0699e7a94e39b56d25973ee01096de27f2ba1712a

SHA512
38cb2e87bbb0f78905cf5b26afd89213e1a8d5fa7b6481e8a6d1845a80930f2766b487b0e813e4ecdf3b4626f98b6e1edc8b5eb8f9cb96341ce5ec3e5781786a

Download Submit