neconyd | c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe
Size

92KB
MD5

9f58b27476187faed4e25dddd66aef84
SHA1

62730d93ba19df4f26602188060bc10f2030fe5d
SHA256

c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d
SHA512

46bddaaa1fc0276a0c83136896ee735fe83bc688e8d2033d80eafc5cdff3703cc423e4cfa8913d43195ff8be5c91334f87fc44d5cf4c7bc2fa4171ad25bf309d
SSDEEP

1536:ud9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:2dseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2232	omsecor.exe
3184	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 2232	4080	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe	83
PID 4080 wrote to memory of 2232	4080	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe	83
PID 4080 wrote to memory of 2232	4080	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe	83
PID 2232 wrote to memory of 3184	2232	omsecor.exe	101
PID 2232 wrote to memory of 3184	2232	omsecor.exe	101
PID 2232 wrote to memory of 3184	2232	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe
"C:\Users\Admin\AppData\Local\Temp\c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
2a957fafac340edaac0719d7b748c076

SHA1
274077ab7c22c5852aaf2d9cedfca3f597e273f6

SHA256
5558c99b9f624ce981ec5635af2d7e76a47dbed05faeca2f8de9fb5bfe43b642

SHA512
4d25b8f98f23edad2008d430474fa08611967700f2e0dc5ae3f5b46dac82b41e5c07e05fe4809ada48fced0573a0e7a009e694cf9a149a16d5522d680809458d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
c4038c35b01c04503db21bff18735945

SHA1
c15f34a37b2ea8df395ab9b2f973bd9317ad4fc5

SHA256
8b10f7adf2b31760d541b828adc07581e3e434656ec63c7d1bf0f834d6d37cc2

SHA512
797532f66cf1f0106b77a794c5450367aa5677efb083de18ce2148ba73ad923510aced749871a010661801cc2d4b7ca9e9aaad19ba9dab890050bcf4b08ff9b8

Download Submit
memory/2232-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2232-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2232-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3184-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3184-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4080-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4080-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download