neconyd | 5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe
Size

92KB
MD5

f8325c3186976a63e49178a45fffaa60
SHA1

a5922f3ea697cc2f4781a8d6bd2e5aa65aae49f4
SHA256

5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331
SHA512

9b53d1f95d998e4fec414fe2e1f88f483e45d4b12fe2b340383e1f3692fa02f31765f965e719526cf1afcf2ca165ba46272a895410a78350bdd33290c8ac185c
SSDEEP

1536:2d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:OdseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3084	omsecor.exe
4124	omsecor.exe
2276	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 3084	4468	5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe	87
PID 4468 wrote to memory of 3084	4468	5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe	87
PID 4468 wrote to memory of 3084	4468	5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe	87
PID 3084 wrote to memory of 4124	3084	omsecor.exe	105
PID 3084 wrote to memory of 4124	3084	omsecor.exe	105
PID 3084 wrote to memory of 4124	3084	omsecor.exe	105
PID 4124 wrote to memory of 2276	4124	omsecor.exe	106
PID 4124 wrote to memory of 2276	4124	omsecor.exe	106
PID 4124 wrote to memory of 2276	4124	omsecor.exe	106

C:\Users\Admin\AppData\Local\Temp\5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe
"C:\Users\Admin\AppData\Local\Temp\5893df2469e346c9c03e209a19a6011e4568827807ba736b5086daf7f6f90331N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
d464829e5e45ceec0f8b76fa64e7838f

SHA1
3f385647926153606495ee6955371bcaaf834a15

SHA256
31c4afd0d2ee3f828fe39fb02af5c2e2a745eb226e17033f319b031925595717

SHA512
4824ab7dc7ce2037af4cd842ee2350a490bb77cb37bda4f92c45ef387d746d92349341c8788e54a5ac6c7f6aadc539823eec4e2cf9380ad29f7d7b7faa19c37a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
b03582a09c246ec0bc77a14899118c40

SHA1
16517fa9330036d50be463300a46e4540d069e43

SHA256
7d6568543514d441a6a716d4a4be7979180af99a795f11c2d88e0fa7a9773c3b

SHA512
844d00070c62f2419e33ddd8aade4437f391b6befe169e0f14638b09be4991e85535cbe5bb40f483823e548d27f8fcebeae1e12a956c8c9b5d8b1d96ffc04ecc

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
7b1d3aae57a0581190e9910febc4dd70

SHA1
431c9531270a34a3da856f1091cba0cf8516a2d5

SHA256
2a0f45b0cd0125cdbbf5c7e8e34e33193ac2029d629a5694e4682640f944a5e5

SHA512
39a30012ed6b9639ddd6c6cd07f7b7ed1a4fd50f09be2209558ebd087d1cc0363655400f84ad92bfef30b496bd8c998033feab8e28da3f397bc1f83740aaf217

Download Submit
memory/2276-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2276-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3084-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3084-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3084-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4124-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4124-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4468-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4468-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download