neconyd | dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420b

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe
Size

80KB
MD5

36de0871e14d5a62e52be1d5b10e7ae0
SHA1

613a84912a10e246a7cfdfc55f1b27886d6a90fb
SHA256

dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420b
SHA512

8dcdd5dfd4986a93e227f187a83da22cf6bd5fa27cf60c711d32132da923071f77eb9f3935863b16845232386b0075030521fc101156a5b31201c3d37370027d
SSDEEP

768:4fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:4fbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid	Process
3020	omsecor.exe
1280	omsecor.exe

Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exeomsecor.exeomsecor.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exeomsecor.exe

description	pid	Process	procid_target
PID 1088 wrote to memory of 3020	1088	dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe	82
PID 1088 wrote to memory of 3020	1088	dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe	82
PID 1088 wrote to memory of 3020	1088	dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe	82
PID 3020 wrote to memory of 1280	3020	omsecor.exe	92
PID 3020 wrote to memory of 1280	3020	omsecor.exe	92
PID 3020 wrote to memory of 1280	3020	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe
"C:\Users\Admin\AppData\Local\Temp\dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
002c7bb2928a008cb8fd9a49b68bf425

SHA1
0adc2461db9d1c3a7ccaa5bae589b19aead5d554

SHA256
18019733b4d99aadd7abc879b4cea11f9cdc9eb68f453ed91cde8e71fa4a4cb9

SHA512
659e5c09f1f308c765004c0ffd0af62897ed12a0669252820ff99d4286cc63a852222bb9cdc905be4d7c939dea190c7d4ad6dade8d195816bc5fd8920cb7b514

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
eadc040d5ade8648fb30ea5ad3531605

SHA1
d23a17bf9419a5e63169927e026bb4a4a0536fa8

SHA256
1e2a94e40c0fb6cc02b50a96a1e293a6924eb057bf2e8ed85a858e1c3cab801c

SHA512
bda48311e0ea2fe4231adf6bc3853c253f70f29eb48e2065f8c131c2c2ecc4c201458204a0344b23c7d814c096b6b832e07deb7bda07b0dd367669099b4ee6b4

Download Submit