neconyd | 1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe
Size

61KB
MD5

58a9460b37d9363bb9c9dc9c5c4e42de
SHA1

bc0c589985451149f971676617412a06ebe4d143
SHA256

1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76
SHA512

7b9d4c51aa37375c546cc72fc7f3447dd0206749c85cb9fc0f26391886c6c31a4775b89a68f64d7a2de64ebd0b1ee99295565d91a5adb791d82e1872f4e21fc7
SSDEEP

1536:Pd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZWl/5t:ndseIOMEZEyFjEOFqTiQmUl/5t

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3196	omsecor.exe
3668	omsecor.exe
5100	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 3196	1300	1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe	82
PID 1300 wrote to memory of 3196	1300	1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe	82
PID 1300 wrote to memory of 3196	1300	1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe	82
PID 3196 wrote to memory of 3668	3196	omsecor.exe	92
PID 3196 wrote to memory of 3668	3196	omsecor.exe	92
PID 3196 wrote to memory of 3668	3196	omsecor.exe	92
PID 3668 wrote to memory of 5100	3668	omsecor.exe	93
PID 3668 wrote to memory of 5100	3668	omsecor.exe	93
PID 3668 wrote to memory of 5100	3668	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe
"C:\Users\Admin\AppData\Local\Temp\1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
992df7cf1917f72d82070ca8b96c5794

SHA1
6520a9c722451e3b8bc3d45cb66b9342debff595

SHA256
e83d682cab325b7933d19edee4ed00ee2629d6a15e72d3ee52fb931ea8154328

SHA512
ffdd14fbf3fe8b17e2b40a055f97f636fc947aa703b3786571fcefa28a7d494f84fafb2dcddc8ed358e325a65598127084df0cad17869436f3a96ea4097e1f4b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
79390a1d4d7d0e1bab7219fdf0906a83

SHA1
8671ba7d17b0586cceec1b49965ce092e32f277c

SHA256
ab3ff9ce8dac43f4f2c04ba9ca4e977628c73b5c0670090809f01a5feeed32f1

SHA512
d13971d261676917e8ac730a47e8c842a14402246b37e50740758f7388c702637089addc2e73efd95efd39c68d9de6f380ba806e7b340196823c4709cb16af35

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
a2e1f82b2ee7dae1730a8dc30519073c

SHA1
3176c83e6818603af54fcee9d7cd134fb637faf6

SHA256
dc59007670f36b6997a5ed435127a1b4465140c6d99c4005786d626a323f58d4

SHA512
1e351b319bf0ff06928fc7e50cf61fdbed192f3f7f230fd4803eb62b1aa8db6774261d60f05a2425c483f5cc8a4207cfb47259464acca042b4b299480110509d

Download Submit