neconyd | 291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe
Size

76KB
MD5

6828d009f206a96c7bb7227850d8b380
SHA1

1f180115a642cf68492d05183dbfe0a210555b7d
SHA256

291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28
SHA512

6110aa557d970ed5a5f6263eec40c0d44f04b69f82cd89b8d07eeab25dc7f9720fb446e7bb6591b48d75656f4fa34cc48431cc181fcd44caf3b2452931b5fcbf
SSDEEP

768:KMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:KbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4044	omsecor.exe
896	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 4044	780	291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe	83
PID 780 wrote to memory of 4044	780	291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe	83
PID 780 wrote to memory of 4044	780	291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe	83
PID 4044 wrote to memory of 896	4044	omsecor.exe	101
PID 4044 wrote to memory of 896	4044	omsecor.exe	101
PID 4044 wrote to memory of 896	4044	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe
"C:\Users\Admin\AppData\Local\Temp\291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
9f3aa080f624d0671d2ae3e27292600a

SHA1
7c745f68ea6d58ed65854ac51a2865fd7e53eb0d

SHA256
c314c98d82168b2ac956c4d5b92b669dd65e4db536c129224e5ff8a9bee68a15

SHA512
6ba872630df440a88533e73e0e84bf40b8e50cdd0568e4b9ae11386039aa8fa40939a4aef3ab69a2bfb0de4fc3d39dcaf0c2c4f4a09a3f87545e6568ba7f6db3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
7f2f460fe557d35a220764ef8598c234

SHA1
0785299013eff022fe2ae9622563043618bde8ad

SHA256
398ad7aaa86959a1a94b08ab280bb8b965629ffc71e60e102955e7ab00a87a61

SHA512
8d897c69f4b27017c13ea583b8dbaf68f919122a8eb5afd1a968ff66eb42a9e5f4dbc27daf4c29f3453b96050d02e6bd8641ae22862530b5422b65df9234e8a8

Download Submit