neconyd | 9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/11/2024, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537N.exe
Size

61KB
MD5

734aaa0c52852a914a757ebebb6576f0
SHA1

eb8c6fec97cc55f3e9d84015b7aee818a34fa88e
SHA256

9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537
SHA512

a78a2f614e53fbc41257e862ad0781e136d55a75a5636ff5a0e769f30e10b39f53240bc1f29116f84e672be6c5ac960e3535542b1f417f21c5596453599d4442
SSDEEP

1536:kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5:cdseIOMEZEyFjEOFqTiQmil/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2680	omsecor.exe
1584	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
1736	9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537N.exe
1736	9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537N.exe
2680	omsecor.exe
2680	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2680	1736	9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537N.exe	30
PID 1736 wrote to memory of 2680	1736	9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537N.exe	30
PID 1736 wrote to memory of 2680	1736	9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537N.exe	30
PID 1736 wrote to memory of 2680	1736	9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537N.exe	30
PID 2680 wrote to memory of 1584	2680	omsecor.exe	33
PID 2680 wrote to memory of 1584	2680	omsecor.exe	33
PID 2680 wrote to memory of 1584	2680	omsecor.exe	33
PID 2680 wrote to memory of 1584	2680	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537N.exe
"C:\Users\Admin\AppData\Local\Temp\9fabaf71c06e1701f1fcd3829cf3104464a76afdc74a8eadc9cc6623c06da537N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
345bfff187155409a726c29c44db8121

SHA1
589fcccb252cc0532a98ca47d719248102b61af9

SHA256
87b364098c142a1490bb4411cca25e0ad3ef5aa8dfd83647968ce962db7cbf08

SHA512
656d3698ef1340f6516a5e61ccee239f0afe96ce79d872fe3e5fe515a4d60bfccff89f7e8c553416c44c25550859a8f6084cfa0d93724ef7ea29ca971eade55c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
72f6c968249045e08aa2939a84b71c8d

SHA1
83f288085c43336e60434b4edd3b3a09e5bc4606

SHA256
47e4d8e302a9e9f7fe13d48f04e1f64d162431abc10c7565e5aed9cc3a332672

SHA512
51cffb6a31713ed40323fada99025da3f23aa779f1494f1a623d063395428eebbf9361ee3bbb81cee87fb36186a06a6d67363a4340f7378e640cf2cf552b95b9

Download Submit