neconyd | a074072e8532a7962482d685815d366a3ff15856f1282ea8c3713a850e53c118

Analysis

max time kernel
114s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2024, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a074072e8532a7962482d685815d366a3ff15856f1282ea8c3713a850e53c118.exe
Size

84KB
MD5

a95f8dffea35785d94c284debb993b59
SHA1

2a96008c5236697a8fdddd059529e674de3cd0b7
SHA256

a074072e8532a7962482d685815d366a3ff15856f1282ea8c3713a850e53c118
SHA512

af6565b9853ba85b40dcace652a2db6269b4276a601bd978286408d9204fdb6f2785cee44cc96561a9e9a26de84f72ba180a48c290ddbf2aeeb1c99be11d6788
SSDEEP

1536:Kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5b:KdseIOMEZEyFjEOFqTiQm5l/5b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
852	omsecor.exe
2064	omsecor.exe
100	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a074072e8532a7962482d685815d366a3ff15856f1282ea8c3713a850e53c118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 852	5040	a074072e8532a7962482d685815d366a3ff15856f1282ea8c3713a850e53c118.exe	83
PID 5040 wrote to memory of 852	5040	a074072e8532a7962482d685815d366a3ff15856f1282ea8c3713a850e53c118.exe	83
PID 5040 wrote to memory of 852	5040	a074072e8532a7962482d685815d366a3ff15856f1282ea8c3713a850e53c118.exe	83
PID 852 wrote to memory of 2064	852	omsecor.exe	100
PID 852 wrote to memory of 2064	852	omsecor.exe	100
PID 852 wrote to memory of 2064	852	omsecor.exe	100
PID 2064 wrote to memory of 100	2064	omsecor.exe	101
PID 2064 wrote to memory of 100	2064	omsecor.exe	101
PID 2064 wrote to memory of 100	2064	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\a074072e8532a7962482d685815d366a3ff15856f1282ea8c3713a850e53c118.exe
"C:\Users\Admin\AppData\Local\Temp\a074072e8532a7962482d685815d366a3ff15856f1282ea8c3713a850e53c118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
b9f5494000aa087c6ac16eb486aefbd3

SHA1
c530019e424856e9e39d708dc19b908d018b78ff

SHA256
c13a67dc03c173004d1ec3a1cf87293433a7f96b467f3a1a6a702dae9dee24bf

SHA512
de0e318f97b08f1d7501b871fb75640eb221ded62b55a83b463bc6c3ceefd6b1f7f2b80803ae044a06b0ede88f02e55f0d7b3f3aeabb937fe2b40b08f1df5a74

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
cf9eeccce9e29f4cc94ee2e177e69c3e

SHA1
8fa80a6f972b439a44cf54daa05df4a13e9f3c10

SHA256
66fbe0d7557e2f8c619e9dc81a2cb6ff2cb7b7d4b996e017f267b0cf746be414

SHA512
3a74616b43465f3a606b38878b256887825868b56270c77f9a8a79d3154d64e166097f9e40966bdee34fd62f0b435db56f70882b5a2b62b67c57dd5b272be31b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
90d36ec45446b1efddf22a19bbfabd9b

SHA1
43b531c22f98236ce3085160a5374657f087ce7e

SHA256
9c01db33ecbaa4dd6bafacce99d7408e73ba839a08194c222003de509cf7db8c

SHA512
1ffb2ff46ae37d483fd4fed63d60a727f93c445823a366bfbf934c6672dc41c8787938000baa368eb00241993fff1c2edd3e8ecbcccce67e0cca3e559869a086

Download Submit