neconyd | 6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6b

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe
Size

61KB
MD5

4e515099a735e85dc8251b8d40074ef0
SHA1

d2c15cdc6dab2c7bb382725e392169f3335f83e3
SHA256

6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6b
SHA512

214a9de1177e111e2079b81e0634e357eb86fd02642375ce6f3b4ddcb012b73b8e32fe2eef96cda3771ffdbb65e908e30616ab14a60aec79428c501702ad9ff2
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5X:XdseIOMEZEyFjEOFqTiQmil/5X

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3612	omsecor.exe
2768	omsecor.exe
3392	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 3612	428	6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe	85
PID 428 wrote to memory of 3612	428	6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe	85
PID 428 wrote to memory of 3612	428	6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe	85
PID 3612 wrote to memory of 2768	3612	omsecor.exe	103
PID 3612 wrote to memory of 2768	3612	omsecor.exe	103
PID 3612 wrote to memory of 2768	3612	omsecor.exe	103
PID 2768 wrote to memory of 3392	2768	omsecor.exe	104
PID 2768 wrote to memory of 3392	2768	omsecor.exe	104
PID 2768 wrote to memory of 3392	2768	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe
"C:\Users\Admin\AppData\Local\Temp\6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
568564140fdffbd3bea2e495ef7ccaaa

SHA1
068e4981db28ff256b5d36057bc6e7db5f90209a

SHA256
24f79f03338f448cf8a696cc3a289f8c09939a4047f5b586a5d9d16d6198b3b4

SHA512
fe896353bc3ddc8df4e992016d6f9a2c7654297fcf789ed5a9391f6c0625132ea3f34744a01df31dc5b5c6ae28358d503e15704cb05cf7fa94f7ccb26f5062b7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
6422fe077b98321be12a5c51f5c7bf0e

SHA1
e7501650a421cbb8d12ce7d103ac2c667a197304

SHA256
527b3647a499fd630b47d353731a1872978c7fe0c7ba4a049d7fc146347cd5eb

SHA512
62c848f66e2a00a233489a43caa46328400ac978fa2f56854900c8c4a8cebd27335d8f1353ea2503e07014f3b75d9e5a5bfff09ddf5f06e965cba78043368a4b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
4c4907ae5157ab19b0182a1d814524d2

SHA1
81e24e5cab96fd8389378a4a8179f45f6af8a93a

SHA256
7fdbe5ea9ae2b736fb10f5413913b1a93c75fc3678c17383edb8d3628390b229

SHA512
022e252465a2a7e7b09e9ee6a8708f338b8402294544a3da31f2d02864915301510aea8168140bb8020c7fedb82f28564fc16a83791e4b7aee1b3474194b8973

Download Submit