neconyd | 95a2fff7e4ca432fc0f62a9efa4d6aa800c248f28a1351aec39cedd483f83960

Analysis

max time kernel
115s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95a2fff7e4ca432fc0f62a9efa4d6aa800c248f28a1351aec39cedd483f83960N.exe
Size

61KB
MD5

140b15c736f1e164e6decc423efac6c0
SHA1

72d90014209a20efbb41632d53e779d5b2d5101c
SHA256

95a2fff7e4ca432fc0f62a9efa4d6aa800c248f28a1351aec39cedd483f83960
SHA512

413183568aa9d5b708a3a20e7fa474d798a12b6167d838b0e1f1c4a73de0812fbc9bfd2b98538e2cc9de5a1975dda31939be2e2446132d83c92bb358cff9e9c9
SSDEEP

1536:md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZWl/5:edseIOMEZEyFjEOFqTiQmUl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1532	omsecor.exe
3124	omsecor.exe
1444	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95a2fff7e4ca432fc0f62a9efa4d6aa800c248f28a1351aec39cedd483f83960N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 1532	3184	95a2fff7e4ca432fc0f62a9efa4d6aa800c248f28a1351aec39cedd483f83960N.exe	83
PID 3184 wrote to memory of 1532	3184	95a2fff7e4ca432fc0f62a9efa4d6aa800c248f28a1351aec39cedd483f83960N.exe	83
PID 3184 wrote to memory of 1532	3184	95a2fff7e4ca432fc0f62a9efa4d6aa800c248f28a1351aec39cedd483f83960N.exe	83
PID 1532 wrote to memory of 3124	1532	omsecor.exe	102
PID 1532 wrote to memory of 3124	1532	omsecor.exe	102
PID 1532 wrote to memory of 3124	1532	omsecor.exe	102
PID 3124 wrote to memory of 1444	3124	omsecor.exe	103
PID 3124 wrote to memory of 1444	3124	omsecor.exe	103
PID 3124 wrote to memory of 1444	3124	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\95a2fff7e4ca432fc0f62a9efa4d6aa800c248f28a1351aec39cedd483f83960N.exe
"C:\Users\Admin\AppData\Local\Temp\95a2fff7e4ca432fc0f62a9efa4d6aa800c248f28a1351aec39cedd483f83960N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e1747aac1edd150703125fd4751aad31

SHA1
ad94ae0483822de8e5493ce2a1710968679c81dd

SHA256
4b80d0645b9afe4810f39e35fbb9d01ae4a592eb97fac7d38de834c249507d5a

SHA512
6a24bd61ca625b5d030c62ba9f96e092a4656cc02206114193dc3525e0376bba0c7e0657e58bada086815fb9ffb7339980a172c5618cfe7d4799a85fca48bcf2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
7c235df148f6633af05950b4116addeb

SHA1
08c687897fe5789ae28bed28bd7fda49daea33b0

SHA256
4eefc9ae7a3877e0c77cf712dd74843db1c75720865bb3ca9af302652cb7e962

SHA512
202348c065c43260eac44d4e00fc72a93b2e37aef3f086ec346dc02244d9a17adf89a84375b18545abbbee73791dd83213afd4bbf6838df344d0a9e33e50bd80

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
044d3e3e3be44191e280e7f80212f43a

SHA1
ced158ea449c105bfe92a7e8a66642ed3f48f32a

SHA256
b6f623b179dd8505d4543e37e1ae9c49719ebe5714ad847fde882af462e63eb8

SHA512
14d6bd5724279cbceacf9d915833e7ef3e230ad809b7926815bed1a75a9e2cf2d92116ab11afd782b6126d864634b7bc6a3aed81a1e844ea2979e5e67cb9dd4e

Download Submit