neconyd | 87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe
Size

80KB
MD5

4d09d418e20dadaf6bb4b71b9e9b70f9
SHA1

a08239d7bbfb50e2b68a16373b090b63507316cc
SHA256

87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d
SHA512

c1fd63cc5b078701d2f370400b93e8f703596f6eafb014a83861228babcaac01e83efd9369e182ad1c9520178f4195fdf6ab979fb50db6481a252684c2590beb
SSDEEP

1536:Cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzT:ydseIOMEZEyFjEOFqTiQmOl/5xPvwX

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4044	omsecor.exe
3680	omsecor.exe
3964	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 4044	720	87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe	83
PID 720 wrote to memory of 4044	720	87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe	83
PID 720 wrote to memory of 4044	720	87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe	83
PID 4044 wrote to memory of 3680	4044	omsecor.exe	100
PID 4044 wrote to memory of 3680	4044	omsecor.exe	100
PID 4044 wrote to memory of 3680	4044	omsecor.exe	100
PID 3680 wrote to memory of 3964	3680	omsecor.exe	101
PID 3680 wrote to memory of 3964	3680	omsecor.exe	101
PID 3680 wrote to memory of 3964	3680	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe
"C:\Users\Admin\AppData\Local\Temp\87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:720
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
f641b1cfbcc2b3cfda2d664b53d389c5

SHA1
c765b4a09fbc0f197f22a364ff4a5f20e7bb837f

SHA256
cb2574d1e6d6d0cfdc00b99e412a7d251600e09f5e54ed89d47777743ed78bc9

SHA512
b0d8e5419e027aab72f5dfcab30b7bd131cd51320f7a2fc9b2c3bf3da30d00e54c58ca92eb963a2f23e3688647c4fd55da5c2840436ddce10853d3e539b4e7a4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
e6c40e0f6a59185c79e3982dd2499041

SHA1
175c6fe0c4ccb5174d84c5cee633fbbe57019f0b

SHA256
b8ffd946f0e1c896d539f97c4c43a8132e40f0e1b8227384318e2602704f75d9

SHA512
1f7208760ff0aa74205a624a3c674da6f9993a6a0a4800f6cd11886096b85a744c0c0dfed3ef04fb3acb61026f35f82f60f5886521d2ae1cde86183338ef9641

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
b2debd4fcbd00d8f158d88590a7d6181

SHA1
b491f62eb10c82721b4df45957d444dce62253ae

SHA256
859b8035c336acbc8027a10e508dbc539106666c9ce4c831051319ee8591686d

SHA512
913faa34c927bb669500a4de39905f987b460e44cf17efafa2ec6b29d5f76bad26b4f55432720e6813ae029f79a1261727c5cdc85a3a501749b942734a27d353

Download Submit