neconyd | 32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
Size

76KB
MD5

a9713078c7fd3535245a036aa3a9f777
SHA1

84851ede7b2b766e2dec5878fcdfbdaa817ba3b7
SHA256

32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520
SHA512

f4700e4a2546a08eca77ba4de92cf99bfae9fb0e888ca80d23065b9bbd49463691fdc3697c9e3cf2f7ebe209cffbd4562ccfeb846c276f26f2f44365290fe5af
SSDEEP

1536:Pd9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11:ndseIOKEZEyF6EOFqTiQm5l/5s11

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3760	omsecor.exe
808	omsecor.exe
2348	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 3760	1964	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe	82
PID 1964 wrote to memory of 3760	1964	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe	82
PID 1964 wrote to memory of 3760	1964	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe	82
PID 3760 wrote to memory of 808	3760	omsecor.exe	92
PID 3760 wrote to memory of 808	3760	omsecor.exe	92
PID 3760 wrote to memory of 808	3760	omsecor.exe	92
PID 808 wrote to memory of 2348	808	omsecor.exe	93
PID 808 wrote to memory of 2348	808	omsecor.exe	93
PID 808 wrote to memory of 2348	808	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
"C:\Users\Admin\AppData\Local\Temp\32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
ff94d8656d5edee9fb87e1ae4198b7b7

SHA1
09f43646daeb5f1300f380cfec46608a8332adb0

SHA256
3c9c73d36db4b65c4e903a2bf31fad57caacfe1abe1a29de63bb513833f93882

SHA512
b68a6d85a43d5eac5312f07ba83817d658b7ed9eef3fdab7a9c562c9a9eb087666d070d7caee78f9d14af031fc2c628cc24e1dccdf2d74b0cfff42a39191c0d7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
cfeb43c1b2dac22e3ca8b6e62dd67d3a

SHA1
62e652a6ee96d4491c95b72d5a9a794584b6ac23

SHA256
7870bf2676837f2f74ebe62ea42625844fd9b771ac324fa1147a49b622cab150

SHA512
9833e415ad121040aed8f6b46c4b8fcdcf24f7bae13f0aba02367fda8b67953da7ba65a5204eaa8db9c9e483e447a6839aa2e697cc0d75d67d183f397e38d957

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
1bc4a2994f1bfc019bbb7fe56016b284

SHA1
f3ff2e4c83bc94b026cb55b49a2c8b021ca7ed99

SHA256
6c25ac4b1276d7a675647e0c7439d379ca054026b0e396cc7b1d07ff71c48e99

SHA512
63eb2fdec761e31ed63d8d18d19965c72e1cccc7530c7c78e68e2faf976eee1ef4b738568622d40638cb43f41d6cbfa4a32c4b27c43c6b0e247a94c684442435

Download Submit
memory/808-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/808-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1964-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1964-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2348-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2348-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3760-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3760-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3760-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download