neconyd | 5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74af

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe
Size

76KB
MD5

a8ad3d8ab73c1595dd51afe2bf59b5a0
SHA1

ba1f9e97cee2323267598beca461902afb3fb1cb
SHA256

5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74af
SHA512

42f932316f2ae2a333182980de31b9961defe4629e3140c307e38ecb1862c32a5a8bf621e0b7e2d5e3c806e85ca17e3c822d43e3c01a8f49bf47b2ae29236d3d
SSDEEP

1536:qd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w113:qdseIOMEZEyFjEOFqaiQm5l/5w113

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
1848	omsecor.exe
2036	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1848	2340	5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe	83
PID 2340 wrote to memory of 1848	2340	5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe	83
PID 2340 wrote to memory of 1848	2340	5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe	83
PID 1848 wrote to memory of 2036	1848	omsecor.exe	101
PID 1848 wrote to memory of 2036	1848	omsecor.exe	101
PID 1848 wrote to memory of 2036	1848	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe
"C:\Users\Admin\AppData\Local\Temp\5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
52c51e23006dafef378b88431533edef

SHA1
2d474b659dd0387531b38c3a6d803b416cdba643

SHA256
ece611e862cc3626e17d1aae85e411b52e59c0cab26ec596d6d7ab9021bf50fc

SHA512
796db1dd1e21ed3b6f21f58e5db41d19cd7f17afd3f7a4c1371d7c059cb18497071701916c96478c1d8b5ff8e1d9826f6f97ac9a5b9f490ac42f73804dec549a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
6dd4c6d7e36736e83c6b55b2cb48d0d7

SHA1
c09132f9769c24e31f702bf80f21e6fa38f49db1

SHA256
1201fe73448855f3348e5c4cfc3caf2baf17a2625dd304d2a186f0b561c31ae9

SHA512
296e1864733ae6fb5247b39a2421da740b7dac9390ee3308691f32fd078707a29d2f9563712e8b6e7e722aba10305ba7b7a93eace2a574f1bb82b10ebe45d98a

Download Submit
memory/1848-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1848-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1848-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2036-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2036-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2340-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2340-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download