neconyd | 5aa67f2203ccf1b04a67db62505fde885b481fa662d0886352d7aeecdcfd7e88

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aa67f2203ccf1b04a67db62505fde885b481fa662d0886352d7aeecdcfd7e88N.exe
Size

61KB
MD5

f77c91bfc8f720926802a82b7ae114b0
SHA1

88fd5b96a448959e798021904221b7a3d778f253
SHA256

5aa67f2203ccf1b04a67db62505fde885b481fa662d0886352d7aeecdcfd7e88
SHA512

c349af05ae5d2515be62602a4b566835f740e7e454a963b7883151a22cefce03fa5e65951341a7d0be99fc0bdc0343b9fdb834396eea938f58ae183ddcff7d41
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZnql/5f:LdseIOMEZEyFjEOFqTiQmFql/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
1428	omsecor.exe
4520	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5aa67f2203ccf1b04a67db62505fde885b481fa662d0886352d7aeecdcfd7e88N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1428	2024	5aa67f2203ccf1b04a67db62505fde885b481fa662d0886352d7aeecdcfd7e88N.exe	84
PID 2024 wrote to memory of 1428	2024	5aa67f2203ccf1b04a67db62505fde885b481fa662d0886352d7aeecdcfd7e88N.exe	84
PID 2024 wrote to memory of 1428	2024	5aa67f2203ccf1b04a67db62505fde885b481fa662d0886352d7aeecdcfd7e88N.exe	84
PID 1428 wrote to memory of 4520	1428	omsecor.exe	102
PID 1428 wrote to memory of 4520	1428	omsecor.exe	102
PID 1428 wrote to memory of 4520	1428	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\5aa67f2203ccf1b04a67db62505fde885b481fa662d0886352d7aeecdcfd7e88N.exe
"C:\Users\Admin\AppData\Local\Temp\5aa67f2203ccf1b04a67db62505fde885b481fa662d0886352d7aeecdcfd7e88N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
85e76349ca04ca98f338256f4ce2be96

SHA1
61286050d226f704cb2cb167a0da9f474f69f535

SHA256
001eb9909d339e703fde8ae3045729a7d248c030d7075b7166e678601481c6cf

SHA512
b7af8595873bc154efe55cd0da4fd050712e826b65a667b1ab46699c65d5fc14d539a8f6c97a901cf5da4d569cb66ab9725c41b639bccea898faa22406dae4db

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
a4f901373a5e2751d69d744006a7179b

SHA1
86eba015ca752d25d517b9414a0d88ed04bdcc40

SHA256
31172d8e1498933a3ff038dd9dacc115df624ee6a11cc39a13a5fca65a378a0d

SHA512
14ffb3730afeb34704d0a287683422051b33ec933e1e50c743ab35f4cb90c93ec5ea686597cbbe7d183685cf0bb6126309ba91b9bfcb9a06ba76b71ce7e97614

Download Submit