neconyd | d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe
Size

80KB
MD5

e69da5c3501445778de1cd41af270cd0
SHA1

a9178b211872ea64b90405bb72e383fc587ed2a5
SHA256

d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1
SHA512

f286bdbcf77142f5dd08b0a865c31c04b3aa5d288e00dadb43c527d572b1dadc9bbc6b0097f4c6491b18b681e9fa9cf9126b77bd6dcf461b9ec992259363e801
SSDEEP

768:mfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:mfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4496	omsecor.exe
1844	omsecor.exe
3108	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4496	4944	d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe	85
PID 4944 wrote to memory of 4496	4944	d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe	85
PID 4944 wrote to memory of 4496	4944	d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe	85
PID 4496 wrote to memory of 1844	4496	omsecor.exe	103
PID 4496 wrote to memory of 1844	4496	omsecor.exe	103
PID 4496 wrote to memory of 1844	4496	omsecor.exe	103
PID 1844 wrote to memory of 3108	1844	omsecor.exe	104
PID 1844 wrote to memory of 3108	1844	omsecor.exe	104
PID 1844 wrote to memory of 3108	1844	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe
"C:\Users\Admin\AppData\Local\Temp\d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
05ae2a1c174f1c89a74dc26475c902fc

SHA1
496f982fd1b29fa3042726281cd77a8c8157ad35

SHA256
a5128959bc7a9ac7eab9ff10cb96a6988811bd7628e762ac36491fca956ea7dc

SHA512
d222d711aeb2074faf50245779ffea41e3ba9562cc93dc1983ac23757a9577d0ed3883bce4c6676ace4c6a6ca3c5cde36828f27710c545d434e82e6a8325cf09

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
366edc2c916d9ea71997aabe5f5f9312

SHA1
9c218926b9b134e9ef63e0478c34fab7de417f3f

SHA256
7d49e69f78a5c2659dda4ae7141045efaeaabd56fc8283c9849ad893e173aa43

SHA512
f724eb2792a6c8cb39d250b7e0ffd70780e01d8c892979155f86c957aeb5688fa66b9e7fa61b1a504aaea1192d2e0b19b6305eb64e44fb330108a54e13b01aec

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
0bd41eec8fecaedc293adc5405c34f0b

SHA1
bbe5e618e1719c5ec2bde26d31facca5be2a665c

SHA256
5b4e217946a847fc7b2a98c3a8e5bd33f99c4a64fc0ed40e888f8664eb33dd9d

SHA512
ac84bd92dfa1cd63384c6cab95fe7ebe49262f7cc596eef1b54c1cdbbae641fb91d0d52ed45f738d3113109bfa87a2a49414e5e856d08a4d3ca65f68497b11fd

Download Submit