neconyd | c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bc

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bcN.exe
Size

3.2MB
MD5

4024a4b521b031f48811ad3db5c442d0
SHA1

5be742f35b9656428c0a4138394675fa730cad98
SHA256

c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bc
SHA512

ac2e8b3601f7062caa52dca1bff6957ae74051cffe1f3177d2c946a024df3e0a9f3eb372bddedbd99c60a18d8f7b321a918034dce5502dcbcd5138fc6edae017
SSDEEP

24576:ZOsfW+/6oTFwh3Qh3YZrxEu8CL7W2Y7TjtWDlp5DB5:M6W+TFq6IZj8N2Y7T5GFr

Score

10^/10

neconyd discovery trojan

Malware Config

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2916	omsecor.exe
2660	omsecor.exe
2764	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2868	c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bcN.exe
2868	c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bcN.exe
2916	omsecor.exe
2916	omsecor.exe
2660	omsecor.exe
2660	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2916	2868	c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bcN.exe	30
PID 2868 wrote to memory of 2916	2868	c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bcN.exe	30
PID 2868 wrote to memory of 2916	2868	c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bcN.exe	30
PID 2868 wrote to memory of 2916	2868	c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bcN.exe	30
PID 2916 wrote to memory of 2660	2916	omsecor.exe	33
PID 2916 wrote to memory of 2660	2916	omsecor.exe	33
PID 2916 wrote to memory of 2660	2916	omsecor.exe	33
PID 2916 wrote to memory of 2660	2916	omsecor.exe	33
PID 2660 wrote to memory of 2764	2660	omsecor.exe	34
PID 2660 wrote to memory of 2764	2660	omsecor.exe	34
PID 2660 wrote to memory of 2764	2660	omsecor.exe	34
PID 2660 wrote to memory of 2764	2660	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bcN.exe
"C:\Users\Admin\AppData\Local\Temp\c5323486c94dae16219f49efa62cd2edb9c1aa400812e888d2a714561c8ec5bcN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
3.2MB

MD5
c978af78bf4d82735018d881b5c540bb

SHA1
166d21bca0467b93f49a251b1da589deccfbc695

SHA256
04cd5be2c7cc80accf3c5f558061f8285a777f71fc5df8d05d46d710aad9e294

SHA512
dd24f3e5e066201bfa54c3af33fdcf61515a032d07d149e3fe53de19414489ab42ccff6a3b29d3b3359e7f9b2d8faa8da1345287805d3152438f5e1d8548a22e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
3.2MB

MD5
767faf9f0a320d7e6e844dda05add0ab

SHA1
ef5f0c160d3f1c70bc10027b17d188c0173e29a4

SHA256
f500d0924796684e1eb19fb191cd51a4a30de4b43d31ae129d3ee623638406c2

SHA512
4d3eb4fe13ad706364f7de85a8ce93fcf2c438d6e9d89cca94c53f53b56b9c5dc439dd5fb7bae72977eeb86a234ed3b1cf328e3b3e4d907eba1abec7acae73cf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
3.2MB

MD5
c1592e7a53b9ebbf2c0c5bb10c92ab29

SHA1
ef17a935c0a502cdf547acb247aa793677f497e0

SHA256
1505ac7b34220f6c5cd57952b0f2164ab288811babae621c9a22fb3f31ff238b

SHA512
bacf9c87b0a499fccdabc67efd8f47673a03bea7f77b39e3869920281f3c441369c3cd466f768c36b3e2ce0720eaf703cc42a1183f08733c74cdb74e73418439

Download Submit