neconyd | d41cd8de046a07ad968c5b13c640620dc96615266aedd166a772412df66e8540

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d41cd8de046a07ad968c5b13c640620dc96615266aedd166a772412df66e8540N.exe
Size

84KB
MD5

073edd0c834bc703e7fa56b9b2a0fc00
SHA1

ec87eb243042bfcdf6ed1bc5e200e91f18625104
SHA256

d41cd8de046a07ad968c5b13c640620dc96615266aedd166a772412df66e8540
SHA512

0be5d15bc05f83e2745635e911b55f6f2a353601b892dfebeb770f57d87d36fbad960c683309159b1889eff1bd10825de0af57ecd70524c4984184ab3bca45d3
SSDEEP

768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:MbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3460	omsecor.exe
3808	omsecor.exe
4180	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d41cd8de046a07ad968c5b13c640620dc96615266aedd166a772412df66e8540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 3460	636	d41cd8de046a07ad968c5b13c640620dc96615266aedd166a772412df66e8540N.exe	83
PID 636 wrote to memory of 3460	636	d41cd8de046a07ad968c5b13c640620dc96615266aedd166a772412df66e8540N.exe	83
PID 636 wrote to memory of 3460	636	d41cd8de046a07ad968c5b13c640620dc96615266aedd166a772412df66e8540N.exe	83
PID 3460 wrote to memory of 3808	3460	omsecor.exe	99
PID 3460 wrote to memory of 3808	3460	omsecor.exe	99
PID 3460 wrote to memory of 3808	3460	omsecor.exe	99
PID 3808 wrote to memory of 4180	3808	omsecor.exe	100
PID 3808 wrote to memory of 4180	3808	omsecor.exe	100
PID 3808 wrote to memory of 4180	3808	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\d41cd8de046a07ad968c5b13c640620dc96615266aedd166a772412df66e8540N.exe
"C:\Users\Admin\AppData\Local\Temp\d41cd8de046a07ad968c5b13c640620dc96615266aedd166a772412df66e8540N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
0e024c97c62dad14170131abd361cc27

SHA1
71eb7dc394156ff6091002de975e2fe2d254629e

SHA256
49476e930e3d4b5ef9f87e4b6e560112674d74b1f8973728e8132c2c1632c6e8

SHA512
5a01c62517e2d09441fbec0c1d6e05532c85ce759e0deaf368a72a0f30ff9edb593b65203f755e6b7d5b603fcefd159a86161ad444c9592f9fc299d232043147

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
f0a5ed9281293e937f52fcfecdd0ba43

SHA1
83e1587d5bd99b7c5d97c861c1cc6de403ebc347

SHA256
6a88106115e8018659f6b9f875d49f0d091a905c85b7995aa928183502c7f450

SHA512
c434bc92905f9d43c8b76bfd7a1cc3de76b771f07b57c99b8fc2b72dd4d00e008b2b05b8de44e44bd6abd69dc564b5e636bea3f7abfc7c2bd8fdd3881093567d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
73bf3b10f59e93435e6c0d521c31b25f

SHA1
12640a3a3b9fb52ddf438caaffae32b9bbb618a1

SHA256
803da337ec2b5843c94a37802e593176b65f250de0049f7dd47d76dbcaa1c604

SHA512
a2665ffd27281aa2cb37754afe1b84b4d4d085a05cf966ce5b6c3219fb4fb08cb3b65611ad7ac33efda42853d49f72a955c466c9f64b89acd3c4973d60f4c4ac

Download Submit