neconyd | fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83c

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe
Size

89KB
MD5

39d29a04536e738ff9d9a15b87079060
SHA1

1e4f6694f61182f81d9ceefcb516ae25cffb4ecb
SHA256

fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83c
SHA512

7618528c6184d92a1d4c4ea824ce5c466bb183f448b347e9e7e743619f5f277707e33c94dbacd1f6399cb2e6ebb60a2c8607e96b9a301af4bdc9de6b50e270d5
SSDEEP

768:rMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:rbIvYvZEyFKF6N4yS+AQmZTl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4520	omsecor.exe
1012	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 4520	1364	fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe	83
PID 1364 wrote to memory of 4520	1364	fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe	83
PID 1364 wrote to memory of 4520	1364	fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe	83
PID 4520 wrote to memory of 1012	4520	omsecor.exe	100
PID 4520 wrote to memory of 1012	4520	omsecor.exe	100
PID 4520 wrote to memory of 1012	4520	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe
"C:\Users\Admin\AppData\Local\Temp\fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
a509c547ea8025b20b2c7aa560ee6569

SHA1
fcd543027cb1eba7b60c8ac4a444dfbb296cc480

SHA256
8343a1839357974e2f7e55d5647be9c25e14204a5f32a2f312e02f1879e94ba3

SHA512
ac1a9ed6e31d6d48d4267b284ad5b6fa6e879cfc405ae4a62f1c6aadd4039505fe87ae8f0de1601351c9ba2fd5fff4f7e0846fced4122e2e119dfc872b7e05d3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
ad0929cdd8dc99a7f1b447362b703fc5

SHA1
1086dee82031b0f7fc6c7347dabde79bf72c25f6

SHA256
eebc0cfb6c1ea9c0d202373475e3658f448155ccb64653cc9b4ad5815943186e

SHA512
8623fc4d02e1edce4d1bc16a636a2d63a083dcd9beb2779776a62cd9186db4ebb1dbc2d0579efa653e72d69b4cd75c6adb31a0bbd51e54dfdf4c736e70ef336c

Download Submit