neconyd | 38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe
Size

61KB
MD5

121e47853541cf15a1249c5580840cea
SHA1

28161b7d82dfd76176f68784228dcd0cb938cd5b
SHA256

38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818
SHA512

c1d8bc14cb413ddaeae5ecfa93ef2f7faacd089e609f56a1fbc5c87f83e6e6c7660508f1bb707d007d0e21856abf82857d39eb119effe63ea9b31c567f23b9c3
SSDEEP

1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5/:4dseIOMEZEyFjEOFqTiQmil/5/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
736	omsecor.exe
2084	omsecor.exe
2956	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 736	2324	38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe	83
PID 2324 wrote to memory of 736	2324	38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe	83
PID 2324 wrote to memory of 736	2324	38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe	83
PID 736 wrote to memory of 2084	736	omsecor.exe	101
PID 736 wrote to memory of 2084	736	omsecor.exe	101
PID 736 wrote to memory of 2084	736	omsecor.exe	101
PID 2084 wrote to memory of 2956	2084	omsecor.exe	102
PID 2084 wrote to memory of 2956	2084	omsecor.exe	102
PID 2084 wrote to memory of 2956	2084	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe
"C:\Users\Admin\AppData\Local\Temp\38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
486d61f95d17e5620afa5ccadf067560

SHA1
241f34d9c63f6a1b383c290633a5edde352d0c63

SHA256
11f5dd4c8678032f1bc69a03546291fe9f83ef00004d9fcd34afec1e37f2f308

SHA512
e3e71a92583a7f0df20a7bb13e3628365ebcf708db6131ceab52928417242171a1fc389a76fa4333ac4c5f0b4cb02613b5f41e886b1d1f9e45e2ac83cd75adde

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
98ed742ba0356531fb0a83cdde90b155

SHA1
b8aa0011c53c862a00552ee48941565971711820

SHA256
7ed24dc5088dfa3bef027926ca64d95e5289469f23edf0d8cda8f6c67d937200

SHA512
459b0515d9af76715c25b76d0ee7aa64265a54770888c645271c7fad44831b1e9919883fdd930ca24f702b78e716c50a6a7eff0232b1f741dac22bf29d29b2c7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
ed612d7d769433a7a1c719391cdc1af1

SHA1
03bac4bb92f89de390dd6a82bae26326e7b96746

SHA256
25c4bf46183307d8ec12b971f768077e4fdcb7294532d418835fb7c68703eafd

SHA512
1462f780d1201d4a20d722d0514e888ba7a7c0ae03db6e50e1fb316e384ff6ae6c43ce47a20a7f05e1f88b466b0d829574e2afb773c262b54d8a692412d12120

Download Submit