neconyd | 622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481a

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481a.exe
Size

80KB
MD5

7ff47073999fa2bf7d182d25da9848d0
SHA1

c59e6d35e595dc21ce46845f1b34b39416cc6c22
SHA256

622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481a
SHA512

3cc4a35afcd1e5d7310cc7186e01c68baf3478ec1a1d92a1b68adb5089affe6f54eada4486ea53fc1466361d6efd2845e91f253a6db7654a5551718f010970eb
SSDEEP

768:nfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAe:nfbIvYvZEyFKF6N4yS+AQmZTl/5W

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1020	omsecor.exe
988	omsecor.exe
3344	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1020	1548	622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481a.exe	83
PID 1548 wrote to memory of 1020	1548	622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481a.exe	83
PID 1548 wrote to memory of 1020	1548	622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481a.exe	83
PID 1020 wrote to memory of 988	1020	omsecor.exe	101
PID 1020 wrote to memory of 988	1020	omsecor.exe	101
PID 1020 wrote to memory of 988	1020	omsecor.exe	101
PID 988 wrote to memory of 3344	988	omsecor.exe	102
PID 988 wrote to memory of 3344	988	omsecor.exe	102
PID 988 wrote to memory of 3344	988	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481a.exe
"C:\Users\Admin\AppData\Local\Temp\622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
11d60de67578726521c32bfdebfaada0

SHA1
623b39c2ee6ab91d79c96b63457eaa2e2ef44b9d

SHA256
59a6d50e6bf9ed0724940b974ff453b7556110a98bfa59215744815a1761bc54

SHA512
5050d46b61001c8abc7236b7c911bab9b3e0aec85bc38c5089620c29ae3d261f597f406d9ab7e16987e5733551713bac50f3e5f16063cfd2564180cadcbc3862

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
f2ea4f51b5256588615438c81c085353

SHA1
debfc847bf17854b35243d3f025a585916a5b193

SHA256
d7a48273ce9d8b77ef72402e204c26115fa003412ef6d6679cd73d1b48f3ad5c

SHA512
37690d1750ef5a88a66721f371f3c134776f973261c2e5702c8ed239ec2f2eb22e0e85d7e7abdb54b2d2080e3921d3d36b6dbb309e2f42fd600eb3e67510deb6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
a70c31ee857c52b0a5086605ba7ec5b6

SHA1
4636cc2addb1fbc12411639d24dfb70d1789782f

SHA256
56c352b649c329d8282db3774300550e9574d26d522aaadf0d269efded295d74

SHA512
348e5d71a9273d9b96c93e2eea9994f9692f4b1fa74c0f0f8316c26a7ef12d5e8ae1404b35694512401aa6301b759272eb74963f5b17231ea138aa74bbd32c22

Download Submit