neconyd | edf488c4795085062845f8567de05af31fd6c98e2e24a5731f8720d532e60101

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edf488c4795085062845f8567de05af31fd6c98e2e24a5731f8720d532e60101.exe
Size

90KB
MD5

7225501dce03ee74bf0ba723ed7346ac
SHA1

dc7c4cd0bf0826efa63e01b4b663f78b6f4c53c7
SHA256

edf488c4795085062845f8567de05af31fd6c98e2e24a5731f8720d532e60101
SHA512

55efa03667d29ebeae85e02f98266b40070fe759a36ea8baa3074d319967f9df695359ce917fce13e88de2189c890fe85dd5bb56f6d168eb89fdf3ad652e8ef5
SSDEEP

768:NMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA+:NbIvYvZEyFKF6N4aS5AQmZTl/5W

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4924	omsecor.exe
436	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edf488c4795085062845f8567de05af31fd6c98e2e24a5731f8720d532e60101.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4924	1468	edf488c4795085062845f8567de05af31fd6c98e2e24a5731f8720d532e60101.exe	83
PID 1468 wrote to memory of 4924	1468	edf488c4795085062845f8567de05af31fd6c98e2e24a5731f8720d532e60101.exe	83
PID 1468 wrote to memory of 4924	1468	edf488c4795085062845f8567de05af31fd6c98e2e24a5731f8720d532e60101.exe	83
PID 4924 wrote to memory of 436	4924	omsecor.exe	99
PID 4924 wrote to memory of 436	4924	omsecor.exe	99
PID 4924 wrote to memory of 436	4924	omsecor.exe	99

C:\Users\Admin\AppData\Local\Temp\edf488c4795085062845f8567de05af31fd6c98e2e24a5731f8720d532e60101.exe
"C:\Users\Admin\AppData\Local\Temp\edf488c4795085062845f8567de05af31fd6c98e2e24a5731f8720d532e60101.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
90a7ddd50f3040c0d57d7de87bee00f8

SHA1
74450fe9748dde66ffd5a73a4f140c230f3f6230

SHA256
7531493ff7bbf6e0591ffccfd9b32f16c403d6acdc4d833e15119ae35b9472c9

SHA512
97759183618be557f6de94de3ad8c321ce8d60ff170dc3ff99c5784c452c7522781f007ce6cb8c9bf283184ee324b6da2f5cb9ce0fd536b102753214348b0c45

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
137eb6cf70a8b1f753cedc93f629a8f7

SHA1
3fa990d4f094db0ecf91f4240bb90bd3923e65ca

SHA256
37080906a8ea461cbfe1b7258321918ebe018c5e818712ec51c29cae2fb66ab1

SHA512
ee4273001be82ff9e618abfef2e21f149c5b6a6131415b9c84e81b42fc509125a22fd6fa650c12da4637d0ccbe7bc9a2a1486fb225b4729222cfada9cafa43f0

Download Submit
memory/436-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/436-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1468-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1468-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4924-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4924-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4924-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download