neconyd | c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe
Size

92KB
MD5

9f58b27476187faed4e25dddd66aef84
SHA1

62730d93ba19df4f26602188060bc10f2030fe5d
SHA256

c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d
SHA512

46bddaaa1fc0276a0c83136896ee735fe83bc688e8d2033d80eafc5cdff3703cc423e4cfa8913d43195ff8be5c91334f87fc44d5cf4c7bc2fa4171ad25bf309d
SSDEEP

1536:ud9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:2dseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2184	omsecor.exe
4616	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2184	4164	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe	82
PID 4164 wrote to memory of 2184	4164	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe	82
PID 4164 wrote to memory of 2184	4164	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe	82
PID 2184 wrote to memory of 4616	2184	omsecor.exe	92
PID 2184 wrote to memory of 4616	2184	omsecor.exe	92
PID 2184 wrote to memory of 4616	2184	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe
"C:\Users\Admin\AppData\Local\Temp\c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
2a957fafac340edaac0719d7b748c076

SHA1
274077ab7c22c5852aaf2d9cedfca3f597e273f6

SHA256
5558c99b9f624ce981ec5635af2d7e76a47dbed05faeca2f8de9fb5bfe43b642

SHA512
4d25b8f98f23edad2008d430474fa08611967700f2e0dc5ae3f5b46dac82b41e5c07e05fe4809ada48fced0573a0e7a009e694cf9a149a16d5522d680809458d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
549007c6bb12f5483efbbc79256cc965

SHA1
4c5a5392d78c2dbfc10efeecb316dc13b827cbf3

SHA256
54de079fe4636154a30db729e0fd80d02ae5c416bb1b2a4749f41072e768b6a9

SHA512
feeb0cd48a3b2b8557701d1e11352d48e46241a4240dc12324b02f68ee69d268da20822730db3c26d11c43c5c7d8240e43737868ad0e65c015806bacdaf92137

Download Submit
memory/2184-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2184-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2184-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4164-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4164-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4616-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4616-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download