neconyd | 5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe
Size

92KB
MD5

f8325c3186976a63e49178a45fffaa60
SHA1

a5922f3ea697cc2f4781a8d6bd2e5aa65aae49f4
SHA256

5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331
SHA512

9b53d1f95d998e4fec414fe2e1f88f483e45d4b12fe2b340383e1f3692fa02f31765f965e719526cf1afcf2ca165ba46272a895410a78350bdd33290c8ac185c
SSDEEP

1536:2d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:OdseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2056	omsecor.exe
1468	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
1304	5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe
1304	5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe
2056	omsecor.exe
2056	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2056	1304	5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe	30
PID 1304 wrote to memory of 2056	1304	5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe	30
PID 1304 wrote to memory of 2056	1304	5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe	30
PID 1304 wrote to memory of 2056	1304	5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe	30
PID 2056 wrote to memory of 1468	2056	omsecor.exe	33
PID 2056 wrote to memory of 1468	2056	omsecor.exe	33
PID 2056 wrote to memory of 1468	2056	omsecor.exe	33
PID 2056 wrote to memory of 1468	2056	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe
"C:\Users\Admin\AppData\Local\Temp\5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
b03582a09c246ec0bc77a14899118c40

SHA1
16517fa9330036d50be463300a46e4540d069e43

SHA256
7d6568543514d441a6a716d4a4be7979180af99a795f11c2d88e0fa7a9773c3b

SHA512
844d00070c62f2419e33ddd8aade4437f391b6befe169e0f14638b09be4991e85535cbe5bb40f483823e548d27f8fcebeae1e12a956c8c9b5d8b1d96ffc04ecc

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
976533a6d02a5dc0d4296f0da2659796

SHA1
be86dc442d45150414daf160fe67ccab8355b2c9

SHA256
1e2563437c89a5ea7d4667b08839908b2baf18c5fda67e73eaa6abd4c2d0524a

SHA512
8277043d96574408391d6f372fb5ef9ab92f6be30f1ebd23079edf485ed47b71c0bd818954596d170765d565ee27fe8e7c8655878712fdc231265e6b347ed91c

Download Submit
memory/1304-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1304-4-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download
memory/1304-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1468-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2056-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2056-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2056-18-0x0000000000360000-0x000000000038B000-memory.dmp

Filesize
172KB

Download
memory/2056-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download