neconyd | d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe
Size

88KB
MD5

b4e42e9844be91c103e9e9a3127a6647
SHA1

f84f2a9f1a4da86f68cd448f8c63d447f7cec864
SHA256

d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e
SHA512

a135f058a215dc41327ca9de171d4663179ac3a0ece2d80a2f5a16204aa60d01729db1fa64b5d462148270d5cae485932bff6d04fd2eafbeb04ce9fa67478e32
SSDEEP

768:xMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAa:xbIvYvZEyFKF6N4yS+AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3000	omsecor.exe
2480	omsecor.exe
2648	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 3000	744	d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe	85
PID 744 wrote to memory of 3000	744	d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe	85
PID 744 wrote to memory of 3000	744	d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe	85
PID 3000 wrote to memory of 2480	3000	omsecor.exe	103
PID 3000 wrote to memory of 2480	3000	omsecor.exe	103
PID 3000 wrote to memory of 2480	3000	omsecor.exe	103
PID 2480 wrote to memory of 2648	2480	omsecor.exe	104
PID 2480 wrote to memory of 2648	2480	omsecor.exe	104
PID 2480 wrote to memory of 2648	2480	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe
"C:\Users\Admin\AppData\Local\Temp\d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
b277f034292909244e7492654a8c8083

SHA1
77e43951d0a851e267e12c9783abab49dfc56c0d

SHA256
5f2a869ebfac4292476b4bdc1d44b34f6f578c22769a20e80d611ad7b805438f

SHA512
5ff01c8dce96509ad7c392b9ca49d9fa5f6f875e86cf8838f712cee0f6fc387fc5f4bd66eb24704659bc6f4abddbea619069f930790479b50f1f407013b1eac0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
f3cd9703126d0ae1a3093dd58914bfde

SHA1
e896b58d50241c1aefa4fa89174316721061d7eb

SHA256
1c1631c5dd27a2129ac2a7b75eeaf1d0f194f88010ff49da6e8b1fec10962376

SHA512
38e03759b47b9f1be06e013ed8fba53e0b0f76d50fcf3f3ca1a91586a6807c03d56ffd82b7833e1ab2846b84596a364ac2866d948db5f145673cc9d70fea0399

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
cc47cd9cac3fb18365d6eddca394314f

SHA1
5471477f85696caeee8fd2601bcbcc94739303dc

SHA256
57569363a2902a8dd69cdc606216fab6543b620e7de27f16d64dea13d157177d

SHA512
60776f32b795961ffd169e75da09a3ad1e564d9d483c0df2a375d0b9ac86f8b025a75bb024d184a88a1b07bfa258cdafbcc7f59615bd33febc88d4c3f7ba9dfd

Download Submit