neconyd | 0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe
Size

64KB
MD5

c44f8b816073ca9d49f324ec821409a5
SHA1

b9c1b7c3558f2614ddc93a797dedf05c4ff02a83
SHA256

0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3
SHA512

3ea7a4174499d147ded7218caa02c7e07a898bd56729ff19d758ba5b63129e2178d4bd0ac0b0ac9b947bbbac87a8c9a839ba5b3e5e7299ffdc9a9519bd0ff83b
SSDEEP

768:bMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAv:bbIvYvZEyFKF6N4yS+AQmZcl/5H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1936	omsecor.exe
1140	omsecor.exe
4496	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 1936	464	0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe	83
PID 464 wrote to memory of 1936	464	0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe	83
PID 464 wrote to memory of 1936	464	0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe	83
PID 1936 wrote to memory of 1140	1936	omsecor.exe	102
PID 1936 wrote to memory of 1140	1936	omsecor.exe	102
PID 1936 wrote to memory of 1140	1936	omsecor.exe	102
PID 1140 wrote to memory of 4496	1140	omsecor.exe	103
PID 1140 wrote to memory of 4496	1140	omsecor.exe	103
PID 1140 wrote to memory of 4496	1140	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe
"C:\Users\Admin\AppData\Local\Temp\0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
9eaeb770cc83158f6afe946c562f9608

SHA1
213747481e93bbf803784e8278a5f67ebd4757f9

SHA256
da0d6ff5c5e9b5f129bd7634df293eb7723608bb1c7cf66d803756845b394859

SHA512
dbf96f323bff852dbc6f943d73ca449f10cdefa6165d1622c756db1ccfb70529ca99f158bb6df81e8d1d1801c83f9002e91bf5bbd45136a9106c33547bfae6a1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
9eb8c5e012218152a1dbca9fe39e2463

SHA1
2810f85a53291aabb51f533e375c60a885806917

SHA256
f7758f80e8d2b5b2d6d7ddc3bc44026e86dfcf837fc3db6a4ccbf977039a329b

SHA512
029439e1190c65c570d4e942eff5b2198a3d22e2496c78bec25cc88938e138e81dabda3936e098c99e09d8e1ae23a97a61c6ef996c1fc69c448fe033423db721

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
b4eb3ec48c365016d1a418a2262939a8

SHA1
98ddbf3dc15dd84365209f22ed83b8edebb71c72

SHA256
90317cabcb56106454095c72a9d7ba9813e1f95db050f1751052368ba7e87ce5

SHA512
1508e0e11b4710b2359fbe7075cab1e76fdfafd952b72039feff7bfa47cb89f6c92c26be1342800d525a556aee608480b161e4dc5b3c31b9abd1bd4c29f49cfc

Download Submit