neconyd | d18c187e78101e608d455eb2820fdf7be9e89ba752fa29bcb27e1b36932d29bc

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d18c187e78101e608d455eb2820fdf7be9e89ba752fa29bcb27e1b36932d29bc.exe
Size

76KB
MD5

96c6b9b8085ddf548061c27bdb4b3486
SHA1

9d1fc5054fd88f8058d6c595d801cbb01ec924e4
SHA256

d18c187e78101e608d455eb2820fdf7be9e89ba752fa29bcb27e1b36932d29bc
SHA512

f5525e9c2e9670dad43c0d76040f93681b4a111cf168bcc768c98f1b1039afdc1ce71bdc501147f43616bab098d368d79ad07926fa55000dd30ba431a05f5478
SSDEEP

1536:qd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11v:qdseIOMEZEyFjEOFqaiQm5l/5w11v

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1864	omsecor.exe
468	omsecor.exe
2272	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d18c187e78101e608d455eb2820fdf7be9e89ba752fa29bcb27e1b36932d29bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1864	2032	d18c187e78101e608d455eb2820fdf7be9e89ba752fa29bcb27e1b36932d29bc.exe	82
PID 2032 wrote to memory of 1864	2032	d18c187e78101e608d455eb2820fdf7be9e89ba752fa29bcb27e1b36932d29bc.exe	82
PID 2032 wrote to memory of 1864	2032	d18c187e78101e608d455eb2820fdf7be9e89ba752fa29bcb27e1b36932d29bc.exe	82
PID 1864 wrote to memory of 468	1864	omsecor.exe	100
PID 1864 wrote to memory of 468	1864	omsecor.exe	100
PID 1864 wrote to memory of 468	1864	omsecor.exe	100
PID 468 wrote to memory of 2272	468	omsecor.exe	101
PID 468 wrote to memory of 2272	468	omsecor.exe	101
PID 468 wrote to memory of 2272	468	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\d18c187e78101e608d455eb2820fdf7be9e89ba752fa29bcb27e1b36932d29bc.exe
"C:\Users\Admin\AppData\Local\Temp\d18c187e78101e608d455eb2820fdf7be9e89ba752fa29bcb27e1b36932d29bc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
601fa081bfa40f44cb2e28fd5a4a6e27

SHA1
c7ed15675761b692bb65d909e1715911093086c2

SHA256
dfd410f2f42f389a170c5e09e3b218a3e00082fcb3f21c3418ed6a37447dba38

SHA512
cb493d6ed26021cf6b398a95c6eb686a26a6f29489e65370693aa4ab12bded6f37e3f9c18b798d419979c0700946591a9484c420d02c5512b77784a4b6d27c64

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
34b5af3a5b10f1b4369a8a3c6622dc32

SHA1
78a050a917ab02d5a5b73a84b4156c38bcf4b0b2

SHA256
37be73cbb5fc155f31c6695035080825ab4f0949452f2c89515920354185f16a

SHA512
1b8c91a85cfa7b3b7828106da17d6ca78eaa960a21b51cb77706ffdfc71545a0a3dde885c61a603ad4b71c87a009c39a04eba37b59c2bd6bfe5ab12ece9e8c51

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
609c9f504a967e824198c5683208bfb3

SHA1
1f89c97d6b228562d99f5be76dbb285c1c814702

SHA256
69e644117ba2ed80e7ccaa548bd4c1b1fc842b9a91ebbe6a6b4378d5315bb987

SHA512
1f018db10cceec7e0fce1e13acf3c9d7ba8ed64a93d065034a5ca05d9cac4f85a282b14d121f0c7b1f72bd95adbf445cfa1cb77b33396c21336a33379550bff5

Download Submit
memory/468-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/468-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1864-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1864-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1864-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2032-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2032-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2272-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2272-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download