neconyd | 24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe
Size

64KB
MD5

1f04667374508060ce6a19e53e73e716
SHA1

0e50a1d92c5b792c6b4de050d8155dab87dffebb
SHA256

24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8
SHA512

3bc7374198cd1b922e070a74f5212f1f0a0ad9fa9db4ad8fa814138b61aaaa327da42a622293f4699510817a1e22644c77495f1e6ec7af9570cd7b7993ece2b5
SSDEEP

768:3MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:3bIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2664	omsecor.exe
4504	omsecor.exe
1704	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2664	2648	24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe	82
PID 2648 wrote to memory of 2664	2648	24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe	82
PID 2648 wrote to memory of 2664	2648	24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe	82
PID 2664 wrote to memory of 4504	2664	omsecor.exe	92
PID 2664 wrote to memory of 4504	2664	omsecor.exe	92
PID 2664 wrote to memory of 4504	2664	omsecor.exe	92
PID 4504 wrote to memory of 1704	4504	omsecor.exe	93
PID 4504 wrote to memory of 1704	4504	omsecor.exe	93
PID 4504 wrote to memory of 1704	4504	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe
"C:\Users\Admin\AppData\Local\Temp\24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
41876ba4ce063a25de398850da02b206

SHA1
708dd385910b420877edf5b763693bd49df55b41

SHA256
8c7cba426b9c3cf86395ea84dd2f6df29213c57b9e6446c993fc274c7bb2c38b

SHA512
513a6df59a0d24bb67036a1b8077434569bb6bc4c46ba293a003442b89e4c9b9f76090979235aacfb2a5d783ef85ddb929534cf24e348ff4cee86cab4a6d0f77

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
cd69f485baf57ae1d54ba57252916f64

SHA1
599350c79a8563687f935da0acabdd3025ed0482

SHA256
d5d49d584a0ce510debcfb11fc5c086ae727c3acaa5c8a66b1258381a1cc0da6

SHA512
5f2e5d6f7cca59ac2e619e2cae5a778af0dcf0eba720a94ce3287848c7c6bc02fbfeeb1dcc273d0231e01c1d76adecef5b747722a4225293b7d2020a7bcd8b2c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
9b420b052e0201db5382b1b0847fd239

SHA1
def83f0577a4e3e6c1cabcb4894d4d55f1ca108f

SHA256
b27e7d2779526ba3562e72d97def41ab18857966ca0ee9e5d88d5d2007bc181f

SHA512
264adc2ba3c2523de23821b72a7a0d8bbb278f90df9bd51bf199d728c6156b2252f29b7421eff64bf7e387ac1c73f2d57ee2784bbd51f5340be28053d0246325

Download Submit