neconyd | 6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe
Size

33KB
MD5

69f977832f61c475cc0494783f506520
SHA1

ec0855e68d06839eb9710017cc5cfd70d7ee2977
SHA256

6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b
SHA512

cad3d6215a1206c4d980ceb879e2e63403741ee9426939dd1d75339acb7683e6d41bb64fad8e277f61fd704de0e29172ab67b9da45bbfdcc7f638230038b9aaa
SSDEEP

768:HfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D7:HfVRztyHo8QNHTk0qE5fslvN/956qA

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
3112	omsecor.exe
3896	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 3112	1196	6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe	82
PID 1196 wrote to memory of 3112	1196	6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe	82
PID 1196 wrote to memory of 3112	1196	6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe	82
PID 3112 wrote to memory of 3896	3112	omsecor.exe	92
PID 3112 wrote to memory of 3896	3112	omsecor.exe	92
PID 3112 wrote to memory of 3896	3112	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe
"C:\Users\Admin\AppData\Local\Temp\6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
9f402e76af5c3b5eca3d20bdc7da492c

SHA1
b1ee5f8c45c24a5b0d9423309b80a43e2f0cce17

SHA256
a0da4564e0ef499cb6a3fc4d77cb71698462dfd6278f979dca280812cf61cc94

SHA512
95f79fdba2f55faac97bd2ff7b4429312466f30245754c481075c56f58924e93488c9b71af433d49c7fe835834333f7e0fb1114de52f272b5c4daa8b85dc0d4d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
cd5864904292187cfde79ae60f7246bb

SHA1
74965cb2e9695e06215c9507d7799650ea5d1ed0

SHA256
784c471cfcdab28d9996e6444ece62c97ba40ab03432098e9c6d8065de733cc0

SHA512
b9e67fa00b0455ced375790837468ddc2273450bc17fbfa94a5805e15edec422b5f371a0fa1dd9b7355a54ed1e4471f46ceb4d617dff83db896d6e25d51e4f5e

Download Submit
memory/1196-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1196-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3112-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3112-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3112-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3112-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3112-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3112-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3896-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3896-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download