neconyd | de28115dbb62f23a0a75f2b04792403b16efae8667742e1f34471e6043f49f69

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de28115dbb62f23a0a75f2b04792403b16efae8667742e1f34471e6043f49f69N.exe
Size

61KB
MD5

ecfa424020dc3bb609e8b24c077cbbf0
SHA1

92f8a767ac32cbe7b407d8b7c33e0909fd744e9b
SHA256

de28115dbb62f23a0a75f2b04792403b16efae8667742e1f34471e6043f49f69
SHA512

0d802a25cdfe4d85a4b5c4a56849c2955b65851e5cbe48bcc560a5419ca0833efe7d108e2ab7fc34d0d8d42066328e4dd072c04c6360a2aad5fca6725a121c03
SSDEEP

1536:Xd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5:fdseIOMEZEyFjEOFqTiQmil/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3268	omsecor.exe
2820	omsecor.exe
1008	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de28115dbb62f23a0a75f2b04792403b16efae8667742e1f34471e6043f49f69N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3268	3540	de28115dbb62f23a0a75f2b04792403b16efae8667742e1f34471e6043f49f69N.exe	82
PID 3540 wrote to memory of 3268	3540	de28115dbb62f23a0a75f2b04792403b16efae8667742e1f34471e6043f49f69N.exe	82
PID 3540 wrote to memory of 3268	3540	de28115dbb62f23a0a75f2b04792403b16efae8667742e1f34471e6043f49f69N.exe	82
PID 3268 wrote to memory of 2820	3268	omsecor.exe	92
PID 3268 wrote to memory of 2820	3268	omsecor.exe	92
PID 3268 wrote to memory of 2820	3268	omsecor.exe	92
PID 2820 wrote to memory of 1008	2820	omsecor.exe	93
PID 2820 wrote to memory of 1008	2820	omsecor.exe	93
PID 2820 wrote to memory of 1008	2820	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\de28115dbb62f23a0a75f2b04792403b16efae8667742e1f34471e6043f49f69N.exe
"C:\Users\Admin\AppData\Local\Temp\de28115dbb62f23a0a75f2b04792403b16efae8667742e1f34471e6043f49f69N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
801241855f3c6431a9392769c7503c38

SHA1
cee36d65062144d4177bd743ef3d8282a09dea0a

SHA256
db71ae815bf36010af7fe00f8b030a171e47c83a7daf942d959f944623422d72

SHA512
382fe96f88a00d9fef61acfe5ca2ec934e6aca73fc5a2048615c96c83c48ac4fb03cb6f2cb3a5e5fc7f170ab218fad76760d3af964197d27c1735bb7c1a49cee

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
0d34ae84e2b9b1f3445036382d4669ec

SHA1
43b8ff0ae8be8ca4982b11ee63c0e49ef5e6fb4c

SHA256
22808aca1e223e051e1432afcc57f59aabe9b77888c51c32a4c4c31cd4942205

SHA512
601a66d741a51d51fbba3819afb93ec692782c81bd361018b47abb05adeca5b8c9971990b8a507ed39e76c16b3ca05ddf162bd27f479d0679f0a2c65aa404f74

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
84d2a14e704a6edbf25f17a0646d78ef

SHA1
a85f3e80ea564afb804452de85afa928a9c9e3ba

SHA256
799c771daaa9454c9f2bb39b1e8e62ef3d56c8a61e3f926e8a67ceda458dcbd2

SHA512
77319aa112a0990ea04a579d0194dde00f8fc8dfd4b53b6d2ec002ed4a6673ce3b8cb581322c51083510a239d66a4b4a48fe91b62c5d3758b51cae6929c703f3

Download Submit