neconyd | 8a6a14b28675f2c7c498fa84d1bdf4cb2d5d564f5d332b0b28c8112cadb53820

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a6a14b28675f2c7c498fa84d1bdf4cb2d5d564f5d332b0b28c8112cadb53820.exe
Size

90KB
MD5

b9186d917a9236ca7314e0300bb263ba
SHA1

6ea4d34c04140e23a0764ec41e32a8697fa26f79
SHA256

8a6a14b28675f2c7c498fa84d1bdf4cb2d5d564f5d332b0b28c8112cadb53820
SHA512

0ab206bd7593e0e3b39aea1ab7e4c80c0aec21d8ad5074ceaabcf90d794c6807e0792424c91144149fda52d8e85b80e29ae14d660c3d989a0b935b457b788669
SSDEEP

768:+MEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAO:+bIvYvZEyFKF6N4aS5AQmZTl/5G

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3556	omsecor.exe
1420	omsecor.exe
4712	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a6a14b28675f2c7c498fa84d1bdf4cb2d5d564f5d332b0b28c8112cadb53820.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 3556	4880	8a6a14b28675f2c7c498fa84d1bdf4cb2d5d564f5d332b0b28c8112cadb53820.exe	83
PID 4880 wrote to memory of 3556	4880	8a6a14b28675f2c7c498fa84d1bdf4cb2d5d564f5d332b0b28c8112cadb53820.exe	83
PID 4880 wrote to memory of 3556	4880	8a6a14b28675f2c7c498fa84d1bdf4cb2d5d564f5d332b0b28c8112cadb53820.exe	83
PID 3556 wrote to memory of 1420	3556	omsecor.exe	93
PID 3556 wrote to memory of 1420	3556	omsecor.exe	93
PID 3556 wrote to memory of 1420	3556	omsecor.exe	93
PID 1420 wrote to memory of 4712	1420	omsecor.exe	94
PID 1420 wrote to memory of 4712	1420	omsecor.exe	94
PID 1420 wrote to memory of 4712	1420	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\8a6a14b28675f2c7c498fa84d1bdf4cb2d5d564f5d332b0b28c8112cadb53820.exe
"C:\Users\Admin\AppData\Local\Temp\8a6a14b28675f2c7c498fa84d1bdf4cb2d5d564f5d332b0b28c8112cadb53820.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
5a502349df0b328a7c2bf5f54946c654

SHA1
9571eb0f927a3c1d1d860a792c987d45454b3e0c

SHA256
db82df08b2b476140b05e62493ef3a6aa954cf72d68b0270812253751758c729

SHA512
698fc90d73520d78186a9b6a693244d3c2a17ab170289e3fff2a932126b8f4c48fca5cbd28148d305f44bd8837b0a0010046037eb0a1e6cb47c9fa379312c1de

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
332fcfcc1e3a5492bcf18e0d8413b010

SHA1
af14753edac51012761337fc204c5c3b88dff3bb

SHA256
6fe689c24ba7fdc036929a94bdc736f721ce566c1918617758cbb95e4ca0d05b

SHA512
6704d92087830adf4bd7887be0a51b7847fbe50bcc7e28c136b0e209f5c9bc78ea3e7a5a4385fd1d70a1e68cf6c698ae32dde5561f2e131fa39de4cca4823f53

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
5729370127d3e88d93a290d035b383eb

SHA1
1d3615eba775fb6f9671a15a613858f0269e691d

SHA256
e4502d82808394247c18c97a78e46c39d506ae67fef40815ab338cf5161b9384

SHA512
abc865835b11a9e7bfcb0715eaed1ecce0ef102b571284cb157a1c65ebd73197399ed970b87e9ba076795a8a4ed44d0914229022d72a651c0b17ac578c2c04c8

Download Submit
memory/1420-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1420-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3556-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3556-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3556-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4712-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4712-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4880-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4880-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download