neconyd | 1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe
Size

64KB
MD5

ccd70b4c481552f8f98d8baaee4193ab
SHA1

9756ae9490e3b16fd705d11d0fbd0841a4027fcf
SHA256

1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822
SHA512

8b99e51e809dce49a24b6761237777d0f6221b2c26cabdc045cde3f1582d455d2e0d6f1acf13801d6ef885465200e39ee74a534596162f5aae9476c70fd2b380
SSDEEP

768:UMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:UbIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3092	omsecor.exe
4996	omsecor.exe
4364	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 3092	4116	1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe	83
PID 4116 wrote to memory of 3092	4116	1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe	83
PID 4116 wrote to memory of 3092	4116	1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe	83
PID 3092 wrote to memory of 4996	3092	omsecor.exe	100
PID 3092 wrote to memory of 4996	3092	omsecor.exe	100
PID 3092 wrote to memory of 4996	3092	omsecor.exe	100
PID 4996 wrote to memory of 4364	4996	omsecor.exe	101
PID 4996 wrote to memory of 4364	4996	omsecor.exe	101
PID 4996 wrote to memory of 4364	4996	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe
"C:\Users\Admin\AppData\Local\Temp\1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
5ac0a195286b82f373ffdcbd3ec98079

SHA1
d3fda6e56dd4bec4a5bb9dc27a7c938e0f650375

SHA256
fb2275a7c6336554f948c4adf118946a99acc40396fb988e2c9fde49c981358f

SHA512
20508473af6f5b6a26d9e41a2dd2ab1643e298e81e6ae5ef8d45bd67a6e64bc7e4f0847320db56f663c1cf342bf94a6bf6cb6b00d07652816664c8a77ce2616d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
ee7375d68338f0bdbe6bc1a32defacca

SHA1
c07dc87d85fb8b06ec723c82c393124ebd421d16

SHA256
8a3c6a4d3af9bb182688198f2e9de8a8cc0e0ab845def9bdb95dd7139fce07f6

SHA512
e43b1b20b0a3550506621f173302aa2b3c53d73c6d0d9f3baed42f07a693ded39644958f9507309a1320a8d34164bf5f5bc5602a95a4cac2a1c43f6aa31bbf29

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
efc80181b7db1acbfcdc1666cfdc9360

SHA1
8d9fb8b8c7c5ab831505604553155c7918aedf1b

SHA256
642ad48e345085825e3a9b9dc5d6077cfbd0fe31dd724db80ada990349f9b6d3

SHA512
3418d9bdc34ed9abbe0f01c5f85e4afc6b0c3764de3292af5180c5829dc03ba8f7246372c07e98c19f0b849b79f08ba5347cd49a39ceaafa667cd48ec3a60ff1

Download Submit