neconyd | 4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe
Size

64KB
MD5

97472f222d2703d030054a9cab746ae0
SHA1

b79c978ad6e7f8d3b7c55506f246b61f2278bfa4
SHA256

4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340
SHA512

7f128f7ca106575296fda7912d05a4260e17a3164705d4b581be1360f89933a476710eac4dc747074e1efed107b8b4e34c2df79f1db8f36341a53ce40b01d76d
SSDEEP

768:bMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:bbIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3376	omsecor.exe
860	omsecor.exe
2804	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 3376	1576	4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe	82
PID 1576 wrote to memory of 3376	1576	4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe	82
PID 1576 wrote to memory of 3376	1576	4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe	82
PID 3376 wrote to memory of 860	3376	omsecor.exe	92
PID 3376 wrote to memory of 860	3376	omsecor.exe	92
PID 3376 wrote to memory of 860	3376	omsecor.exe	92
PID 860 wrote to memory of 2804	860	omsecor.exe	93
PID 860 wrote to memory of 2804	860	omsecor.exe	93
PID 860 wrote to memory of 2804	860	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe
"C:\Users\Admin\AppData\Local\Temp\4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
b3ddcd202b55ba9e97ae747b1a8daf15

SHA1
ee0a362566f7ebfcfd057facd46e746e5bf9b6a7

SHA256
834b54a74ac055782fed7c2b03aea8a3d2367e1641408665c9ff29b0d50a194e

SHA512
b6fbd738ed256a8d65f91dd709b5e6130c5c0571ef1c6063b2b21a1c5c2eadd7438f3273f9b3f4149694682732142bdbc7a3fc82893360694b0aed076043e7c4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
470170f00d0c7425cc68af731e44a609

SHA1
8099270a6a5f517012334fbd0652ddda054f87c2

SHA256
e9fedf9030ea2d93e2c3c34d9e8a262406d39ecc81419c5b7c15d657b489fae6

SHA512
5c2af57d35a5c23b06b6f8081a310db2892165d8aa8bfb375f00cd99905aa3417a14ab811fbc55d7b2ceee7359546a293b6c879dc353ac6d3817e90108fb5350

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
af50e863df77b34f527db4054c71793d

SHA1
d0990fcfc9bbc7ef4f32955312c1f7040000227d

SHA256
89a41e94725fcd745dc65e51528a614c9a54bc0626a095d33b1e89e5cd614400

SHA512
9660d5f52319f45e517a1d4fc5d65b52cf16303d77cd1061da54395ddcff5e29c4a1e58c924efda294dd49cc4f81f0c7bb59192ea5ec181613bf5cc29ca9ad7e

Download Submit