neconyd | 41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe
Size

61KB
MD5

4c802f2573a72d20d8e00283350f9d70
SHA1

71f1bb07cf6dfeb32e2d7c1a32a40f4bf1baf959
SHA256

41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8
SHA512

c8e5dc99013616bf1c020c8031826ce0d81686fedd03ba5418f99ddb387bcbdf6d340fcbc279a140f94f66cec3ff295c4866466639a81ee17adc7e8709824951
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5H:XdseIOMEZEyFjEOFqTiQmil/5H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4820	omsecor.exe
3956	omsecor.exe
3044	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 4820	3524	41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe	83
PID 3524 wrote to memory of 4820	3524	41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe	83
PID 3524 wrote to memory of 4820	3524	41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe	83
PID 4820 wrote to memory of 3956	4820	omsecor.exe	100
PID 4820 wrote to memory of 3956	4820	omsecor.exe	100
PID 4820 wrote to memory of 3956	4820	omsecor.exe	100
PID 3956 wrote to memory of 3044	3956	omsecor.exe	101
PID 3956 wrote to memory of 3044	3956	omsecor.exe	101
PID 3956 wrote to memory of 3044	3956	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe
"C:\Users\Admin\AppData\Local\Temp\41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
2e1a66bd45e8dd440d8718a06819e963

SHA1
f651a3d5a840a792cb592f9aa12f4dca7c6fbe63

SHA256
95b4085f306e858434d13f1b8fbe934986b026160c2f0d334377f8abea296b0a

SHA512
9118749aa6d3c7f9977c0626ac0b41b7fdf6fe15af95ba9337542e3cd2b886081de671d1c00d7ca47dd5e725d637866d5dba009973a5f79afc686705a4f6b1d5

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
f7e274b7134e509ec4a5e7b5c72bc5cd

SHA1
57eb9157f1fb8fc6891718e178cd4bc3d9a97cd1

SHA256
d6109ab6cc62c108afcfd003570f8adadbe0c0d6b323a12fb0d49a7f46d92ef3

SHA512
2d9ed196dda3eeaebbd7618d5cae544e0b4bda15c5f5e89ef03455bb9e2c3e315080066608c3fbf988bf3925d5544d127f43379cdff5fd5ba03b6fe775982970

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
da7b7057484b9acd56e66059210b06f1

SHA1
f28a05330b195cef99bfee74688ed4ea428b2a32

SHA256
dca98443bfca1a5ab4c0c0538684c6f08991c1ae55ead491e4baaf62003dfe16

SHA512
bd1654ffa36ed3f50a65ecc01a1c9f9fb6d310632bee01d4de9c3a0419d0e4353d4678eeed47c2c893a57901b3b259bd621e0d7cadda4062ea5a72fc26141c85

Download Submit