neconyd | 4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe
Size

80KB
MD5

429c9bd1a87eeddaef654ff0e423bbe8
SHA1

bfc03adeca294e7a7e3b939e14c02c6dd6bbfd04
SHA256

4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020
SHA512

ac763cbd262f57be05d96c55d89e5e5a2433b22eac2adeadcc72f77c6074cc7d41cd37ed25c0fc6e1e5fae39821ca0cfec18b7d0faa9d3e053867af8743ff215
SSDEEP

768:GfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAa:GfbIvYvZEyFKF6N4yS+AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
3652	omsecor.exe
1864	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 3652	3928	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe	82
PID 3928 wrote to memory of 3652	3928	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe	82
PID 3928 wrote to memory of 3652	3928	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe	82
PID 3652 wrote to memory of 1864	3652	omsecor.exe	92
PID 3652 wrote to memory of 1864	3652	omsecor.exe	92
PID 3652 wrote to memory of 1864	3652	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe
"C:\Users\Admin\AppData\Local\Temp\4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
57526ccbdd50ab149966def4adb1f785

SHA1
d22f35f22832f1dbdb418ea9dc652390d615cbdb

SHA256
41081339c08f775797cb17853747392ea0fa09fb809bcaf3315a2a6b70f03c2a

SHA512
306d275f483161a7905e6af027d92de6a659f2e8dca887f82bea8cf6f5b3a31769674a15b8fc86c8ef416dded3d01bde0da4cdbbbae5f2ff295d487a6ab97cfc

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
449d9848c0aee81bacb647dc68c53fb3

SHA1
4b8a2105c2826722df27154f55a5c1d574b9b411

SHA256
6f6f7f6bdee5b6b341cf6e5bb603604146bbd2b75a9f46527fb22182817e1533

SHA512
e1d6ff8e156bda1336e07bb8c8e5bbaea177a51d4ff12e23dc0b227bdf042a5a1588ca6918c0f28b966dbf606283646a585b2edde1ad18dac7eaf8d297b6fefd

Download Submit