neconyd | b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9e

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe
Size

80KB
MD5

e75273806a2269f82d7de52bb1e7aef0
SHA1

04e9a96117282e0f9d03c78f240bda153f5bfffd
SHA256

b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9e
SHA512

1746af1dbc275c4f9c0379c163fd0b129e51d220db76c569df323832e5d2b6fcc974df05a14fedcf77c54e9e74f2e96837d14c983308fa05958f219378c652f2
SSDEEP

1536:6d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:adseIOMEZEyFjEOFqTiQmOl/5xPvw3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
984	omsecor.exe
2876	omsecor.exe
1364	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 984	412	b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe	83
PID 412 wrote to memory of 984	412	b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe	83
PID 412 wrote to memory of 984	412	b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe	83
PID 984 wrote to memory of 2876	984	omsecor.exe	100
PID 984 wrote to memory of 2876	984	omsecor.exe	100
PID 984 wrote to memory of 2876	984	omsecor.exe	100
PID 2876 wrote to memory of 1364	2876	omsecor.exe	101
PID 2876 wrote to memory of 1364	2876	omsecor.exe	101
PID 2876 wrote to memory of 1364	2876	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe
"C:\Users\Admin\AppData\Local\Temp\b561bf95e7f8b9d49b7d2a35bf9707605d179e0c52b658e0e86ba986a8a15c9eN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
62ed439318ef90b2dc34dc97e4b6832c

SHA1
f3c38d99a230b21822b9c6616be4535959aced9e

SHA256
24a452e31e57a53c9bf02e2c4a4a6d6cee420e2be44d1dd53824b833a268df93

SHA512
a49c3f8620c43a5622dbe015d05b73cde4e3b6a334331c90b252628444ddf155c2cc6b43d601f90619d9badc1efbb1110ab811d6809fc2a4ec15c3d99afbc0eb

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
8d3e6070c4213ec7ded331c8607de121

SHA1
0fea8634e966b6390860ee0974570900979e2c3a

SHA256
bedea8d8542bc927c7a564a4f0ebd5fa1c62e8ff528d3b055175f06d14587a35

SHA512
48e10c11292cbe062c74d053973c552d93140daa4586952cef1d05210b60b27ad17ce6fdda72bfe17b41f8d96993f9dbfbd7ee5f638bd5d6fc69eed4801756b1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
0da8cdd8f918ed7b6370d3f16d179e17

SHA1
8e33fb1c2b5487f64ee78d7e3c8d9de05888f011

SHA256
59c4ee2d43694c2fafc36cbf29741de2b0d83a27e5e9d03079844623c1db04c2

SHA512
e41d3fcb144521a60a4e313f9b7b880462e0ab7e68f7bd064c123e5deaa379aa551ddec8f116db8bba63b8fa14c5b3cc4aa6ece32ac4b894d3a75b8874d5dfed

Download Submit