neconyd | fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe
Size

64KB
MD5

6db5e657551a718e029cf9d8095b49e0
SHA1

43a66b86b300ab632ad08926b92a4ad95998c000
SHA256

fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10
SHA512

4ccdfecee3c93823584f5cf9c101b0658320f555e6bc3c54c9b106f56191b91249d2d7ec4460f21ce24db8fa72498725c4390f1cdd52195e3fc9eda76a22fa87
SSDEEP

768:kMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:kbIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4680	omsecor.exe
4872	omsecor.exe
1884	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 4680	3296	fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe	82
PID 3296 wrote to memory of 4680	3296	fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe	82
PID 3296 wrote to memory of 4680	3296	fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe	82
PID 4680 wrote to memory of 4872	4680	omsecor.exe	92
PID 4680 wrote to memory of 4872	4680	omsecor.exe	92
PID 4680 wrote to memory of 4872	4680	omsecor.exe	92
PID 4872 wrote to memory of 1884	4872	omsecor.exe	93
PID 4872 wrote to memory of 1884	4872	omsecor.exe	93
PID 4872 wrote to memory of 1884	4872	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe
"C:\Users\Admin\AppData\Local\Temp\fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
0803ceb91e47e1458864bea4a2d0e977

SHA1
aa45af6bd334c647ebe660e11b5e912a73189f2e

SHA256
26ee5e6374986121b24352bf7ba0f9047de945e9f0cf19cf01a8ae24c64637db

SHA512
61f8dbb905cce9ba01ad0e36c9c4b7d70c13e818022ed516dc718aa619f4eadc0aa59e2957df17475a01a779a4b00807ca31ce701fa02d1a4bcee8b690733fae

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
ccd70b4c481552f8f98d8baaee4193ab

SHA1
9756ae9490e3b16fd705d11d0fbd0841a4027fcf

SHA256
1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822

SHA512
8b99e51e809dce49a24b6761237777d0f6221b2c26cabdc045cde3f1582d455d2e0d6f1acf13801d6ef885465200e39ee74a534596162f5aae9476c70fd2b380

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
7d4a3ca68e433493840cd8fccd6a3836

SHA1
51e0d27dbb393b9454dd6d2622270d321fa2ff55

SHA256
fce8b5d60c2e820f77248f1be5da96409c182274e007f3746a08b4400638890b

SHA512
8f6432e726b465ffa77a6840296655884966589d46c7c3e88bcc72e87cf3fd3f98f968e355bd49b7a65de3510fc73c19d93af211419dfa30bcd5caa38a624ec9

Download Submit