neconyd | 6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe
Size

88KB
MD5

9496eb5e9351c7b820bb6febabbd8880
SHA1

16adc27f75454571306922704fd696d3da7fc14d
SHA256

6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9
SHA512

6344b4f06a1c6c8418bbbff05cc73d5b3ede856da3c85bf74c4c3b2be094aa54225f36565ca9ebc2fd029145f1943bc44615aee4b6f635803170bd6a3382f65b
SSDEEP

1536:Rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5z:hdseIOMEZEyFjEOFqTiQm5l/5z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4612	omsecor.exe
2808	omsecor.exe
3856	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 4612	864	6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe	82
PID 864 wrote to memory of 4612	864	6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe	82
PID 864 wrote to memory of 4612	864	6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe	82
PID 4612 wrote to memory of 2808	4612	omsecor.exe	92
PID 4612 wrote to memory of 2808	4612	omsecor.exe	92
PID 4612 wrote to memory of 2808	4612	omsecor.exe	92
PID 2808 wrote to memory of 3856	2808	omsecor.exe	93
PID 2808 wrote to memory of 3856	2808	omsecor.exe	93
PID 2808 wrote to memory of 3856	2808	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe
"C:\Users\Admin\AppData\Local\Temp\6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
61ee915909dad30a305b3f9c48be9818

SHA1
4690f7df8dc821d258845f1e7416359a0b16aeca

SHA256
18f2eceac522b067f34f2e76d30dbf6def493deb54e81e613765d3b44b39e770

SHA512
57b753aa9e9bdd5599d4bd2cc5f5a9d2f99e0516e197c422ee1af3ff87543af5265c058f5036f36d17d162de8d3fa23428e12f2aae98ceaace78153c18993f64

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
588757e498613a3df38415b697fb3b6f

SHA1
0c5d7e73f85bee128c776807c4b0064e39542874

SHA256
a4c5b59d1d39d847581d1c7e02384b68543648888c93e257ea6e9274f278a6b4

SHA512
89b88a5a501495f2193c151a54b620694e483eaee6179b60fc191cce26b5dd7e0db003dc4001176326c49b32043d5ac31ac751d111ded796655ae809bd959cb9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
5b688ba6caea9960e0c1456082e1e946

SHA1
17a0de8f21795d0d4cf4fabdf48bbf42b9bcb807

SHA256
db34027b594730aff22fb93078fc59612015b083924f5858d913e8f0081e65c0

SHA512
def4ae8b8605100a5396071964115e8496356a11475c32681b0deaaaf34a96ae2f8ecbff0d8ebf6c5ef7c1bd8c96ed4a4ce55c33623b69bcef3f63d69bef9a34

Download Submit