neconyd | ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe
Size

80KB
MD5

b465b4f55a678a8be063f1448983dc85
SHA1

4ce3865726505163edbcf5e5a952be0e33d54c03
SHA256

ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6
SHA512

0c3eedad30161a3b4015342be0d405ff24ce3feb2d71afc3a1011a874d455049db2ba027ea4b6b7f30e8008e3bdcde78ae1a1ab5d904fa2a307aff544bafd8d0
SSDEEP

1536:Gd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzJ:+dseIOMEZEyFjEOFqTiQmOl/5xPvwV

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4876	omsecor.exe
1408	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4876	4836	ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe	83
PID 4836 wrote to memory of 4876	4836	ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe	83
PID 4836 wrote to memory of 4876	4836	ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe	83
PID 4876 wrote to memory of 1408	4876	omsecor.exe	100
PID 4876 wrote to memory of 1408	4876	omsecor.exe	100
PID 4876 wrote to memory of 1408	4876	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe
"C:\Users\Admin\AppData\Local\Temp\ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
144f1be9332775a9d2c05a31cda5d398

SHA1
978cd1dd9301e895bee1521cb86bfde3abcf01fb

SHA256
63ee53b271a7764a61a37edc3c75cef8402a78ce956073bb0974858754f7a0db

SHA512
c22a20476dbef69b0faebce950ca845f3964700a075f00b3aff4603623a29c7e273e3303f4d42683b36b5f4c9867048aef57c8b18dbb74fb538368dd512db48a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
fc4a6b5e146406b187c3bdc8da1d067e

SHA1
c42f935d0a13b9da96653add6cdb63d7c182d71d

SHA256
4011569cc75cf1c51e9078cd5c241d19e6ad1cf895765bacc7740cfdf07ab01a

SHA512
3549f7117657d20dd88e018be0c6006c8f8fd4b85c7100206ebdb2852367139860f09a4acffc0eed3442c0cba4847b816579336429a895ffb139ea57adab757c

Download Submit