neconyd | 0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe
Size

76KB
MD5

78186ad83fb7ef5210e41709abef2740
SHA1

f2acb5485855725b289b5f8d8b42ef2ba03d7598
SHA256

0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825
SHA512

e1b3a2e16ceaf7ade9ee4e0dc2f1172b0e828b069cd9d5ce365bcb37f165d40b37f68c9e0248cd7f46d9f1f6319a895ff95e902cef290e3607c397492825d9e8
SSDEEP

1536:Ed9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11:8dseIOKEZEyF6EOFqTiQm5l/5s11

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4592	omsecor.exe
3300	omsecor.exe
488	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 4592	3236	0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe	82
PID 3236 wrote to memory of 4592	3236	0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe	82
PID 3236 wrote to memory of 4592	3236	0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe	82
PID 4592 wrote to memory of 3300	4592	omsecor.exe	92
PID 4592 wrote to memory of 3300	4592	omsecor.exe	92
PID 4592 wrote to memory of 3300	4592	omsecor.exe	92
PID 3300 wrote to memory of 488	3300	omsecor.exe	93
PID 3300 wrote to memory of 488	3300	omsecor.exe	93
PID 3300 wrote to memory of 488	3300	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe
"C:\Users\Admin\AppData\Local\Temp\0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
2234fb5a5632a39b50d098b82404b1d5

SHA1
699078b6ab180cf874c56ec9785c2bd595f46710

SHA256
8a695ef386c33d208e0b5d41d6562d0778be39bc16b2b1d308eec7c9939ad81e

SHA512
a4bc1ba8c1c33545e2a4bea5e3b3abe3c00b5c649697bcfd3f67bf2b9225c6df98811c048c70a055e8fed6f4038f103f6cc8a46f1ba5752276661b8c9bfb1ad8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
885862ad1f732a9ab922878b50930777

SHA1
2abb58cb97c5320ad612491b488b0c0573515087

SHA256
f160eb08a4aa89bb72fc505c03a1ef651a5a46b48378a0855abaa835bb4a733c

SHA512
85b336ee235c80fc25fb57ab3d9fea1b536e7b499e17fada0a34a5062a2fb7ae3ae1f72b15794d4872bc3fde3feebd6ab3e6945085be467d0181335d55658298

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
1986eab0dc7f1fe72568cd8308701bad

SHA1
681562e2186637e082e0df8522b51250b0e57ed5

SHA256
c0e577b5d662806f544fd69ad6882d586af7e8947d1409853820232e8d3f6b5d

SHA512
4228556b420b40bb8fd4e502c020ee261c240700a3c08c4cbda9f98f79f148585266550289c59e7e1c72ed9c161d277bad18916b3dc5c0f2bc62d8ed70fa4b60

Download Submit
memory/488-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/488-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3236-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3236-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3300-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3300-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4592-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4592-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4592-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download