neconyd | ffae65d1b0b5c9ce209d198d1bc344c2827146f7db3ddf783748dabb37f91b4c

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffae65d1b0b5c9ce209d198d1bc344c2827146f7db3ddf783748dabb37f91b4c.exe
Size

62KB
MD5

339d1aebcf78fcdf377e28218a49804e
SHA1

86857fb61ccd4ab10595e69fe2170bf52b2156fd
SHA256

ffae65d1b0b5c9ce209d198d1bc344c2827146f7db3ddf783748dabb37f91b4c
SHA512

d5b331cab660c9c717a8a26c98522d71f2b305f94931c10f628737e55036262bbe60e2f25267c4ec5690c1eaf813528a1c84da9516e99e82f81294be4d6a6f4e
SSDEEP

768:QMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uAf:QbIvYvZEyFKF6N4yS+AQmZtl/53

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3384	omsecor.exe
1720	omsecor.exe
2544	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffae65d1b0b5c9ce209d198d1bc344c2827146f7db3ddf783748dabb37f91b4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 3384	3420	ffae65d1b0b5c9ce209d198d1bc344c2827146f7db3ddf783748dabb37f91b4c.exe	83
PID 3420 wrote to memory of 3384	3420	ffae65d1b0b5c9ce209d198d1bc344c2827146f7db3ddf783748dabb37f91b4c.exe	83
PID 3420 wrote to memory of 3384	3420	ffae65d1b0b5c9ce209d198d1bc344c2827146f7db3ddf783748dabb37f91b4c.exe	83
PID 3384 wrote to memory of 1720	3384	omsecor.exe	100
PID 3384 wrote to memory of 1720	3384	omsecor.exe	100
PID 3384 wrote to memory of 1720	3384	omsecor.exe	100
PID 1720 wrote to memory of 2544	1720	omsecor.exe	101
PID 1720 wrote to memory of 2544	1720	omsecor.exe	101
PID 1720 wrote to memory of 2544	1720	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\ffae65d1b0b5c9ce209d198d1bc344c2827146f7db3ddf783748dabb37f91b4c.exe
"C:\Users\Admin\AppData\Local\Temp\ffae65d1b0b5c9ce209d198d1bc344c2827146f7db3ddf783748dabb37f91b4c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
a8af2ef3f73a86b0fcd4958ecaf11654

SHA1
824d3ea460f71606461e2a38bc4df036acab6497

SHA256
3242ee8908c8c059c85936a3c4242864bc89d9c07606526841440967bdc22a36

SHA512
02026a39f763c764272a5c6c2d933a3f9ac03973f2517172aafb74a37b5f8c373200daa975b7e11f7c57a5ee5101d6018285eaf4b3d31dd7db3da0f6365ff549

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
df08ca205667853d491e42d928c9d610

SHA1
78a3e1feca053e32598a4a0326bd432fed5e1c7d

SHA256
6c0e6bbe86c9a0e04014931ffaba574a2bbf887c30279f37b146749ba1287838

SHA512
dbca285b8ab81329c442e8d81ae5d83ffc72565c857c9211aeb1090f0b1a7a4701e63178e331e84b01fa3082c93597dd984c7b2827b181490d03f79946d4639d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
62KB

MD5
49f0d93eebb2e98a3190870e589eb14b

SHA1
00d67d9d9297c7a2b975ce3872c3f9797125517d

SHA256
3b7acd9326c193ca08094b5b62931d314c6563f5d5595ad7649ec3eb47d2d281

SHA512
70e5bb18c2faea2429f39d2bcc2462e7852f05548bf0c190a8678b747c8cef2c72c841df6154a11a3b0bb3dba6fe7b679d46054fec5d72e82df8a91df5c2d724

Download Submit