neconyd | 32f2a8dc6d14dffc3df5f6382a579e27e5df7d522f31a03ae902b3e360c525ad

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32f2a8dc6d14dffc3df5f6382a579e27e5df7d522f31a03ae902b3e360c525ad.exe
Size

61KB
MD5

13ebb36e596146a672c3ff8b6e08c2d4
SHA1

b2309079bdbd23463c4f60f962494b2888e5452c
SHA256

32f2a8dc6d14dffc3df5f6382a579e27e5df7d522f31a03ae902b3e360c525ad
SHA512

c9cf11d45bbd98d883069c9dcf681cc3bfe34d791809f59c1ab6a6fee6cbffe1648c3d6aebdfc028d0398990e7a4719682c0edf7c8890448c27160d2f8557c18
SSDEEP

1536:Qd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/5:QdseIOMEZEyFjEOFqTiQmTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1552	omsecor.exe
2556	omsecor.exe
3760	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32f2a8dc6d14dffc3df5f6382a579e27e5df7d522f31a03ae902b3e360c525ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 1552	4116	32f2a8dc6d14dffc3df5f6382a579e27e5df7d522f31a03ae902b3e360c525ad.exe	83
PID 4116 wrote to memory of 1552	4116	32f2a8dc6d14dffc3df5f6382a579e27e5df7d522f31a03ae902b3e360c525ad.exe	83
PID 4116 wrote to memory of 1552	4116	32f2a8dc6d14dffc3df5f6382a579e27e5df7d522f31a03ae902b3e360c525ad.exe	83
PID 1552 wrote to memory of 2556	1552	omsecor.exe	101
PID 1552 wrote to memory of 2556	1552	omsecor.exe	101
PID 1552 wrote to memory of 2556	1552	omsecor.exe	101
PID 2556 wrote to memory of 3760	2556	omsecor.exe	102
PID 2556 wrote to memory of 3760	2556	omsecor.exe	102
PID 2556 wrote to memory of 3760	2556	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\32f2a8dc6d14dffc3df5f6382a579e27e5df7d522f31a03ae902b3e360c525ad.exe
"C:\Users\Admin\AppData\Local\Temp\32f2a8dc6d14dffc3df5f6382a579e27e5df7d522f31a03ae902b3e360c525ad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
8b86cd3def6b479ae45aee723ee73c8b

SHA1
e3171d53d2b8d5032e17c093c8ef589fa238c01b

SHA256
76b583ec9e6b42c316b16c97351fbbbfba854b186e0ffed5458c5f6e9e5f047a

SHA512
8554021e7ad7f53788da70903be2f80771f304793d6be2bbde3b5565b1393dbd72046088fdd847a7126fdc55db4f254770da84f8d936735c0f87d00b181680f4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
1e8eef8662afbdc724d0566f3912e83c

SHA1
bf7d5bc6a5d60cafd771afb6e8cfad7630774945

SHA256
322f3b6b964a07bbe67dce324b3dfa23b8d85e84e208ffcd38b0b8946ce5e520

SHA512
6a1d3d2415997b266c12a90e3ef133f21e3d05affa4159dd407b8cfa8030b576ca612a51a05f2e27d097783b9aa3b83a6495d74c0234c8cf16d47a1d8a6522fc

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
33e79442102d027b48e95662fa90cc39

SHA1
1c6581e1bb193f31fc6059014e4b6e9bd08cefae

SHA256
73497219d6034d0b2f1e73262ce15454189204ba40cc1591afb677b95c535e0a

SHA512
3868de62b4155298bdb4691fc68bcfdcb7588bedec120b0ac103f21367ebfcd332f5d018f8d7a81807c8999d4efbf96bebc90c11fa1456d047e1f5d441cf3581

Download Submit