neconyd | a24136f142634b04177aa281d30adcc99054eee3c733b63a70caba460afcfedc

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a24136f142634b04177aa281d30adcc99054eee3c733b63a70caba460afcfedcN.exe
Size

72KB
MD5

a0bbc4cba4946a0f77b798d443976e60
SHA1

12240b21ce2173981ab7933ebf1e836d3f248205
SHA256

a24136f142634b04177aa281d30adcc99054eee3c733b63a70caba460afcfedc
SHA512

8f895005d8c9acbea9f8c128f7f24189aee20bdeaee45a7e6849bf775e72d7c5ea5ad4418838bbe6e02a0047200c4e7025b0dbe4bd4db4306bacf48bc01c9526
SSDEEP

1536:Bd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:xdseIOMEZEyFjEOFqTiQm5l/5211

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2456	omsecor.exe
1244	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a24136f142634b04177aa281d30adcc99054eee3c733b63a70caba460afcfedcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 2456	3296	a24136f142634b04177aa281d30adcc99054eee3c733b63a70caba460afcfedcN.exe	82
PID 3296 wrote to memory of 2456	3296	a24136f142634b04177aa281d30adcc99054eee3c733b63a70caba460afcfedcN.exe	82
PID 3296 wrote to memory of 2456	3296	a24136f142634b04177aa281d30adcc99054eee3c733b63a70caba460afcfedcN.exe	82
PID 2456 wrote to memory of 1244	2456	omsecor.exe	92
PID 2456 wrote to memory of 1244	2456	omsecor.exe	92
PID 2456 wrote to memory of 1244	2456	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\a24136f142634b04177aa281d30adcc99054eee3c733b63a70caba460afcfedcN.exe
"C:\Users\Admin\AppData\Local\Temp\a24136f142634b04177aa281d30adcc99054eee3c733b63a70caba460afcfedcN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
ad3f7111fc17af8f76717c48d7242ad0

SHA1
bb75ce277bc002c6552e0c82bbdc4bc94071b208

SHA256
f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503

SHA512
f71be5a8b044520ce15bafc71eec67c43128ae897b1f819575c3d07ac601b9066080dcb0d5aa924e9e920f107eee73a72dddadee332f15d6a7c4c366d6195d5d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
4b14ed4ac8da0a1f772f4274892dceb2

SHA1
c6fcb24112a4e067a679c53814126878996d93a2

SHA256
caf4ec51a5f6c028acb0a114766cafb165a3447b33a33fa6f329e02b5173e36d

SHA512
d1955c3d7399f1eb0be844bc836893a51410d20e0f78524f6502dee4c2e58b49e902d34dac724a79ddf2d8daaab17a597c88749032bc471db1b621ff734d5736

Download Submit