neconyd | 4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe
Size

80KB
MD5

429c9bd1a87eeddaef654ff0e423bbe8
SHA1

bfc03adeca294e7a7e3b939e14c02c6dd6bbfd04
SHA256

4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020
SHA512

ac763cbd262f57be05d96c55d89e5e5a2433b22eac2adeadcc72f77c6074cc7d41cd37ed25c0fc6e1e5fae39821ca0cfec18b7d0faa9d3e053867af8743ff215
SSDEEP

768:GfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAa:GfbIvYvZEyFKF6N4yS+AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4500	omsecor.exe
2900	omsecor.exe
1140	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4500	1800	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe	82
PID 1800 wrote to memory of 4500	1800	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe	82
PID 1800 wrote to memory of 4500	1800	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe	82
PID 4500 wrote to memory of 2900	4500	omsecor.exe	92
PID 4500 wrote to memory of 2900	4500	omsecor.exe	92
PID 4500 wrote to memory of 2900	4500	omsecor.exe	92
PID 2900 wrote to memory of 1140	2900	omsecor.exe	93
PID 2900 wrote to memory of 1140	2900	omsecor.exe	93
PID 2900 wrote to memory of 1140	2900	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe
"C:\Users\Admin\AppData\Local\Temp\4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
22f4794b669dacb1335baab49e90a82b

SHA1
a8f2a9c780277bbf97c012dd21655f89bfc3fa0b

SHA256
80231fc1ad36cb6bf7f124fc18152fe6ed238570f8faa64a8b491e02d33eef55

SHA512
06944a51b63022d09d0b92fdbdca1f9d75fda539419f01b599b73f6514abbb3e22ee8c22af0f3f44fd864c92084fa0828d5af0fd4e62c4f8cadd1135318d243c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
57526ccbdd50ab149966def4adb1f785

SHA1
d22f35f22832f1dbdb418ea9dc652390d615cbdb

SHA256
41081339c08f775797cb17853747392ea0fa09fb809bcaf3315a2a6b70f03c2a

SHA512
306d275f483161a7905e6af027d92de6a659f2e8dca887f82bea8cf6f5b3a31769674a15b8fc86c8ef416dded3d01bde0da4cdbbbae5f2ff295d487a6ab97cfc

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
bcea5274f89c5887e1467ddab208e540

SHA1
72f3b1cbf45d1c84f0007d4cf157dca95c8ea940

SHA256
d289185d3f56489a33502ea712d41b531401356075a0f86ec25dbf4541b0b130

SHA512
438727c5e2ec00eaaaba7ebd4517be127e2794ad0155b85c1a3a9757123297452e73184590dbd5a145e67ba2349b28b72f08289703f3561d6ea02620a7b9a545

Download Submit