neconyd | 8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe
Size

90KB
MD5

6a95558edb58d716532ccd8add56f032
SHA1

3a31fe63998a1ad9c1e406f0e4fc0c8f0076a190
SHA256

8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32
SHA512

0f14609da9d6b048d4ca5ae9e4430db81eadd201a1a71b709d9a40d939812cbab7176f7395e75676b19d0949043aaac129a1bd3803a72ed65fbfe807726b2a09
SSDEEP

768:PMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAa:PbIvYvZEyFKF6N4aS5AQmZTl/5i

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4988	omsecor.exe
4256	omsecor.exe
2516	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 4988	3752	8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe	83
PID 3752 wrote to memory of 4988	3752	8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe	83
PID 3752 wrote to memory of 4988	3752	8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe	83
PID 4988 wrote to memory of 4256	4988	omsecor.exe	100
PID 4988 wrote to memory of 4256	4988	omsecor.exe	100
PID 4988 wrote to memory of 4256	4988	omsecor.exe	100
PID 4256 wrote to memory of 2516	4256	omsecor.exe	101
PID 4256 wrote to memory of 2516	4256	omsecor.exe	101
PID 4256 wrote to memory of 2516	4256	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe
"C:\Users\Admin\AppData\Local\Temp\8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
e6f244a3924d5ba4256dad33d229defd

SHA1
20bb43cc02003b97a1883802c2d131d36d57bbde

SHA256
18e48ce007df9c6edd46aa4ac74713d1a4af3e301c6558668d4bd44951c2bdc6

SHA512
790d5d6d76a953dfc4ffdf45321dea517d591d8d2d60b90572c8bde2f7ebb85b5dda0ce7bdb9d359958ec141af3f0b94a8adabaef2ad972dd336ef33acd2ec79

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
8b69984e8f68f71fc256ed37aaf60f5a

SHA1
2e37313c1338295f2f9c651aba5d0aa17cf61b1f

SHA256
1af041d349e512e5fc79e69b8ecbc53182e451e70713035eb1a73b176f63c7c8

SHA512
c442fb407ffd525824ec065d18f71c16e922fee0c003900d7c6b44d95d70026d5a8e99c96d89df6a9838aa58af8fd6749aae5b28a353969f90c52b928e791dc7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
231f7799ed0b6ee5fe83b39c5ef9d33d

SHA1
8fc30e59a9f97cb7eddea1857b8fd85f71fafd21

SHA256
4227e650fd56e77c0a7844a4146485927102f432d654dc76397fd33309c590f1

SHA512
e3510f91a825c9208dfdd12f0584c8b8569571dbbdcfe37e4207054a951b047ba328a79196a3186c6330148bb2c0e1dd839162fa7537c767095d94c972e9390c

Download Submit
memory/2516-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2516-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3752-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3752-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4256-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4256-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4988-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4988-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4988-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download