neconyd | b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9e

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe
Size

80KB
MD5

e75273806a2269f82d7de52bb1e7aef0
SHA1

04e9a96117282e0f9d03c78f240bda153f5bfffd
SHA256

b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9e
SHA512

1746af1dbc275c4f9c0379c163fd0b129e51d220db76c569df323832e5d2b6fcc974df05a14fedcf77c54e9e74f2e96837d14c983308fa05958f219378c652f2
SSDEEP

1536:6d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:adseIOMEZEyFjEOFqTiQmOl/5xPvw3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2600	omsecor.exe
2540	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
1720	b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe
1720	b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe
2600	omsecor.exe
2600	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2600	1720	b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe	30
PID 1720 wrote to memory of 2600	1720	b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe	30
PID 1720 wrote to memory of 2600	1720	b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe	30
PID 1720 wrote to memory of 2600	1720	b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe	30
PID 2600 wrote to memory of 2540	2600	omsecor.exe	33
PID 2600 wrote to memory of 2540	2600	omsecor.exe	33
PID 2600 wrote to memory of 2540	2600	omsecor.exe	33
PID 2600 wrote to memory of 2540	2600	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe
"C:\Users\Admin\AppData\Local\Temp\b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
8d3e6070c4213ec7ded331c8607de121

SHA1
0fea8634e966b6390860ee0974570900979e2c3a

SHA256
bedea8d8542bc927c7a564a4f0ebd5fa1c62e8ff528d3b055175f06d14587a35

SHA512
48e10c11292cbe062c74d053973c552d93140daa4586952cef1d05210b60b27ad17ce6fdda72bfe17b41f8d96993f9dbfbd7ee5f638bd5d6fc69eed4801756b1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
92546bd3e437b1d20f3e2af78cebe6bc

SHA1
b02aff1c294c09fec3e7fea12de522c82b534d94

SHA256
4778c0b0915b9e7115efdeafecb5dce86f203632c9db72e3380789d5e398200a

SHA512
bbdd9f12d955b5c216bc84d25ef0abb377dd731a077feeaf0f707d93e18a22a63d72d399f05e31145ff73b4dbba5fe64f0230eee67df07d7da5989545e6723ab

Download Submit