neconyd | caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe
Size

61KB
MD5

5ea51eae9c69eaa9eaaa4952fb817270
SHA1

ce2ed574329b618ad30574db94aa5bfd919c8693
SHA256

caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50
SHA512

5e651860e084490ffe4e585867c14f7f953424a8a465d7ed42d2d445dcfcebc45fb5714a2405cc8d49f2ee67b76abac9725f51021ad8e5c73231a8190ad279e1
SSDEEP

1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5:4dseIOMEZEyFjEOFqTiQmil/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2524	omsecor.exe
1336	omsecor.exe
1488	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 2524	4376	caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe	82
PID 4376 wrote to memory of 2524	4376	caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe	82
PID 4376 wrote to memory of 2524	4376	caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe	82
PID 2524 wrote to memory of 1336	2524	omsecor.exe	92
PID 2524 wrote to memory of 1336	2524	omsecor.exe	92
PID 2524 wrote to memory of 1336	2524	omsecor.exe	92
PID 1336 wrote to memory of 1488	1336	omsecor.exe	93
PID 1336 wrote to memory of 1488	1336	omsecor.exe	93
PID 1336 wrote to memory of 1488	1336	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe
"C:\Users\Admin\AppData\Local\Temp\caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4ef26d22468f3f4f2f2db446c8168b9d

SHA1
079585aaeb97137c55e6b04b6049c4015b49003c

SHA256
b802b986a5910c80413270d29480042b96fddb60968568869e987bce7e746863

SHA512
760d2e8c40a8c94be86600a0a55719d066d325079eb65199df00b9360f0b39fdc75aaa4272da8d0002bbee88a86a3b811c7530257634df3fb9a63a8c17acffd6

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
a4f01b414c6fc1a92856d2406ece6e2b

SHA1
a725a92e9c9cf9f68d2d6224f82dfb627c3bbbea

SHA256
80c4dfec71024ff4799bfa48fc8bd1336781d23ded7144de5bb3c4786e601ca2

SHA512
98c6fb4eb7525d6ed2ab96d3b489dc9edf58bed528f380c1d6acda01a89a046d01e8699d621be802dd1a4519cb37ab6ca4e9312cfa1be19b009e45e2d8af1469

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
1c21f75076b004808cdbfb9499b2bb78

SHA1
9ade17d53ec32f2ed4b3072f368bff45a3dfcdd2

SHA256
6dce67a24f27bf7fd473ac605703d63bd4b3150180d98875498c140c1e4bd52f

SHA512
bbf3813b28039d077449e5c4b3bf47ef417f672d727491f6aa9139c1b706c0b8c250d1b31f14bac4391d9409e7b1ff0cd18864865bb97fca555b825e15f8cde3

Download Submit