neconyd | 49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe
Size

61KB
MD5

169e53955da79b097826d0f8eb991a20
SHA1

a009318f2e100d27a7485c44b6e27a7736c153f1
SHA256

49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249
SHA512

e4bbf2e264ad2b02011dc7d646d9a39cce6a5c1b2202cf96394152b503113af7823d105b1111b9f8e7c81037db00e81017e88a7c0ee8a3b6556034125064f3da
SSDEEP

768:mMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:mbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1536	omsecor.exe
4460	omsecor.exe
4368	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1536	1608	49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe	85
PID 1608 wrote to memory of 1536	1608	49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe	85
PID 1608 wrote to memory of 1536	1608	49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe	85
PID 1536 wrote to memory of 4460	1536	omsecor.exe	103
PID 1536 wrote to memory of 4460	1536	omsecor.exe	103
PID 1536 wrote to memory of 4460	1536	omsecor.exe	103
PID 4460 wrote to memory of 4368	4460	omsecor.exe	104
PID 4460 wrote to memory of 4368	4460	omsecor.exe	104
PID 4460 wrote to memory of 4368	4460	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe
"C:\Users\Admin\AppData\Local\Temp\49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
00be4373fc017d6c1f3a17fa41315f80

SHA1
295a2bd2e8f0a3b5bc9fbc13c1513e18790f9e85

SHA256
4e91510808bce3be3d7ff4e04d0c5e6377ee02c463c5cda0d894c032c25d131e

SHA512
5b16ca54005432623f38a4c69f871e7316ceee6da74a4bbab6082433c69402fc4c39d1590cfe9da3c5fc228acd2fd8f57dca61acadffe0308a68073deb8cec26

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
d97307c56c339fc23e21718d6b3cc502

SHA1
01dee6056f3d3b38494e45f463c2d45e903104d8

SHA256
fd5615088339079ca17e0c65a44546cc3457b9bbad35f0939a26c180cba21cd2

SHA512
c54e51ac091f5410cec43173d5fc31be15231d076eeb975e6455335c5c0adff5441c8ddb6250b5e8c731dca76746615009e5ccc9c66f473abef635ab679b7a6f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
6120a89f84c11821fe3178e118391d39

SHA1
d96f98cf1ed4ad86fdb2bf5af8f41bc5849349d5

SHA256
1015e163e7b6b7186e19a213c36f25a062cf3ccf6e5b21a1bddac22396496e4d

SHA512
d6a763208c7ba6b3122871262a05cfb3a198d543c1c209dbd0dce369e28d96c343fe7d3c7afe20bf603fb5f80018a3157b8068c6fce53581f1bd66db247bb5ef

Download Submit