neconyd | 3f1143cb1cf8a167227df3421a8592b4dff4d30351888c889f8c55200ae4d8e3

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1143cb1cf8a167227df3421a8592b4dff4d30351888c889f8c55200ae4d8e3N.exe
Size

61KB
MD5

41008581ed38f3986c92132eea3f6400
SHA1

955cf7067729afd5a123b997dc12e1d7d8497f15
SHA256

3f1143cb1cf8a167227df3421a8592b4dff4d30351888c889f8c55200ae4d8e3
SHA512

5338ae5fa2bcaee2a8e7a8e1e33c442ac221482e69598f686c63c94ba2f6e608ef0bfccfb6643c507b5347999175e0856ff5a36f0240c945a19ec6c81cdce82b
SSDEEP

1536:4d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZnql/5:IdseIOMEZEyFjEOFqTiQmFql/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2752	omsecor.exe
1460	omsecor.exe
2356	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f1143cb1cf8a167227df3421a8592b4dff4d30351888c889f8c55200ae4d8e3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2752	2720	3f1143cb1cf8a167227df3421a8592b4dff4d30351888c889f8c55200ae4d8e3N.exe	83
PID 2720 wrote to memory of 2752	2720	3f1143cb1cf8a167227df3421a8592b4dff4d30351888c889f8c55200ae4d8e3N.exe	83
PID 2720 wrote to memory of 2752	2720	3f1143cb1cf8a167227df3421a8592b4dff4d30351888c889f8c55200ae4d8e3N.exe	83
PID 2752 wrote to memory of 1460	2752	omsecor.exe	101
PID 2752 wrote to memory of 1460	2752	omsecor.exe	101
PID 2752 wrote to memory of 1460	2752	omsecor.exe	101
PID 1460 wrote to memory of 2356	1460	omsecor.exe	102
PID 1460 wrote to memory of 2356	1460	omsecor.exe	102
PID 1460 wrote to memory of 2356	1460	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\3f1143cb1cf8a167227df3421a8592b4dff4d30351888c889f8c55200ae4d8e3N.exe
"C:\Users\Admin\AppData\Local\Temp\3f1143cb1cf8a167227df3421a8592b4dff4d30351888c889f8c55200ae4d8e3N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
b4a4e395981cbd85c2f1ca8a4303ee1c

SHA1
d3852f6e13a396295505635d2584997b1b6f8d8e

SHA256
095c583f195714d823eaa95427fc2086ef2f586fab95a74b85f6cd23d23ebcf6

SHA512
02a53b615db40c2b00d7d79ad7a3852739adb910ec2330aef75b5b2eec9f404cf750428d19c677f21b4a32e1a3b68a247ee67b3717ce2e6ed07d6613467dba14

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
43aa6d04da877a4f9dc9cb1fd6f54803

SHA1
ec5e426e828ae2e3a39e4f4e3a382d459c9fc313

SHA256
a34c95d3802db4b0f51c1f733739d9ef9fdc5f776cc106495295a289848b6a8b

SHA512
8a4792f160354e2696301569c2f8a0704fa26badb9e338d3c624f141b487ce4aed61d78e1cfa431e9a423f54be58a6e12ad3f51f51ff4d16ce156832f8950fe9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
d31513ff3c514eb507b0d5e7fbf6ed7e

SHA1
45a92c46f0c425129b4231d147f3b76a574bb4c0

SHA256
35ef0c351ed94c7592816c3226b4c0df62b9303eb812120d4b33b9a261c78248

SHA512
525882bfa9b4d4fc95be534c339e567075915325d7140f21bb02e1d92b5cba8aea1b600a857141eb3257bad15ac910ea068be7964b70da5a85a1b580338d3236

Download Submit