neconyd | 20f53444e71ff434f914ab62959c685c949e976ec39a086fef772f2ada75e2da

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20f53444e71ff434f914ab62959c685c949e976ec39a086fef772f2ada75e2daN.exe
Size

61KB
MD5

64ebc72246ae91ffb5e87c177f24d1f0
SHA1

6466d3b163bd4a74483edc139ce3a290301fc1ec
SHA256

20f53444e71ff434f914ab62959c685c949e976ec39a086fef772f2ada75e2da
SHA512

ac3043047f7e9e1d893307c41ef177f92fd66db422cb51035ff805072d49d43a3ff321772cf78ccd61b018db7f9f916bf18d9827dc4c05aecb5b75ce9013fe22
SSDEEP

1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZWl/5l:9dseIOMEZEyFjEOFqTiQmUl/5l

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2572	omsecor.exe
2900	omsecor.exe
4040	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20f53444e71ff434f914ab62959c685c949e976ec39a086fef772f2ada75e2daN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 2572	3728	20f53444e71ff434f914ab62959c685c949e976ec39a086fef772f2ada75e2daN.exe	85
PID 3728 wrote to memory of 2572	3728	20f53444e71ff434f914ab62959c685c949e976ec39a086fef772f2ada75e2daN.exe	85
PID 3728 wrote to memory of 2572	3728	20f53444e71ff434f914ab62959c685c949e976ec39a086fef772f2ada75e2daN.exe	85
PID 2572 wrote to memory of 2900	2572	omsecor.exe	103
PID 2572 wrote to memory of 2900	2572	omsecor.exe	103
PID 2572 wrote to memory of 2900	2572	omsecor.exe	103
PID 2900 wrote to memory of 4040	2900	omsecor.exe	104
PID 2900 wrote to memory of 4040	2900	omsecor.exe	104
PID 2900 wrote to memory of 4040	2900	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\20f53444e71ff434f914ab62959c685c949e976ec39a086fef772f2ada75e2daN.exe
"C:\Users\Admin\AppData\Local\Temp\20f53444e71ff434f914ab62959c685c949e976ec39a086fef772f2ada75e2daN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
50e9a11c1ed555a18766bf72b66cf0ab

SHA1
4771e862199b62e68026bec9eccdb82e96ba49de

SHA256
160378bba2474890fcb47ae32389049cc87d0ea810aaec286da4716b56c4a2f1

SHA512
ce224e4cb1a1091b802ca45f10b9be6e20405cf0a5148d01c531a93fa0d50f876292261d888ad1f3f28529e1f744f937431ffaefe34b6e90010eb928e5cf43c1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e31b9fbb29b59a38862c0a8e323172f1

SHA1
ac2878a06e9f5470629777eeb1909a5d9004e5f0

SHA256
01f9f2f25cf2487fd55763872770dad340e0634b6c75a5285a7ba53412b3c58a

SHA512
90e4b3c5309dd79eef235804f5a11c77f3cc86355ac5436f375ea19860c3af4c97ef5779abda7b3e62fbb436fbc1282e8a9de3b80cc70513ab5f148f645456e3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
32f3128603c8317911af3e2106d66548

SHA1
0e869bd0cbab88ecc2d1ca8d556d6da7570e4f56

SHA256
24002a8f167d0581917b8dfa67e8170ea3d4c7de4aec60594e89a59de3b12f7f

SHA512
9fc59a5b9b22ac92a8e8257afa3bdf3c3db2c70b6f0f35525aad3bd969e78cf96bf5c9e49ffaa4011c29ac181a1b54356daa44b40bd2c7c2de001f102143f286

Download Submit