neconyd | e43600e7b7154a3a7f4dd3bf2fbfc3ff4cde0e20ab40e09de89f4c4f4e0ca460

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e43600e7b7154a3a7f4dd3bf2fbfc3ff4cde0e20ab40e09de89f4c4f4e0ca460N.exe
Size

61KB
MD5

afe192e370ad5c643ff6206e7a3ce7c0
SHA1

dd09e9c3007b2b6d34aa96da52df528f12582e72
SHA256

e43600e7b7154a3a7f4dd3bf2fbfc3ff4cde0e20ab40e09de89f4c4f4e0ca460
SHA512

493d323c966a996c774c0cb5416c401eb087e019682af8b7abb07b5ad737b88b1e57db9d3ecf233a22ac5767fe167e991824d2a7cf911151d529ab94b55ff3cd
SSDEEP

1536:td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/5:FdseIOMEZEyFjEOFqTiQmTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3640	omsecor.exe
2960	omsecor.exe
2284	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e43600e7b7154a3a7f4dd3bf2fbfc3ff4cde0e20ab40e09de89f4c4f4e0ca460N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 3640	748	e43600e7b7154a3a7f4dd3bf2fbfc3ff4cde0e20ab40e09de89f4c4f4e0ca460N.exe	83
PID 748 wrote to memory of 3640	748	e43600e7b7154a3a7f4dd3bf2fbfc3ff4cde0e20ab40e09de89f4c4f4e0ca460N.exe	83
PID 748 wrote to memory of 3640	748	e43600e7b7154a3a7f4dd3bf2fbfc3ff4cde0e20ab40e09de89f4c4f4e0ca460N.exe	83
PID 3640 wrote to memory of 2960	3640	omsecor.exe	102
PID 3640 wrote to memory of 2960	3640	omsecor.exe	102
PID 3640 wrote to memory of 2960	3640	omsecor.exe	102
PID 2960 wrote to memory of 2284	2960	omsecor.exe	103
PID 2960 wrote to memory of 2284	2960	omsecor.exe	103
PID 2960 wrote to memory of 2284	2960	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\e43600e7b7154a3a7f4dd3bf2fbfc3ff4cde0e20ab40e09de89f4c4f4e0ca460N.exe
"C:\Users\Admin\AppData\Local\Temp\e43600e7b7154a3a7f4dd3bf2fbfc3ff4cde0e20ab40e09de89f4c4f4e0ca460N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
1cbe1161b03f7f09295e0dd2f21c1843

SHA1
baf31c37730898127ed8ccb4949efdbc5e641ef7

SHA256
3f977dc34bee199cd2bf0c33b796375f6f4421683aca477a3ad7990623434fd4

SHA512
48c0d74decc544b216539cccdb05d4d2ade04229f92c563606bd17e8aa1dc358f69206d6ce285890111c2e50aedde00d1e2400c25d0d42c6857cd356cad4465b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
3029ce790c69b8d3126f80aad477936a

SHA1
15335054e20a587febdcd8c686cb254b1bfaecbb

SHA256
f41f3bcefe553557d6fcd1c6b736568a3f2b94caf87514e00767c9cbc8f360a8

SHA512
46c28343329971bc0e294b4cdcb296b1851d504dbed62d96036eb138769fa83723e52feb95d0141db089aa3a3e73496e053e867ec0ad01bc1210aab52fb4cc95

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
04bf3cf5f0dd3bedfb9ef05919dac81a

SHA1
ba78ea2fe0a99de3d1616b653298d60b70ffaa2e

SHA256
f08eac746fecb79fb7dea53b1a4c7711627303ee5e9fb7de56877192183dd361

SHA512
ad1896b5300c6321668e3226c129d0044b55d6c900d98da7009d9590cef2598a8ff679fa968f525fc1ce336940811f44c55c2a4b955c7be222fb31b60ecb0dc8

Download Submit