neconyd | 65c1f656dc9a785a57f222f05bb3439ce519dd0f65254a711919f4a08d6f57eb

Analysis

max time kernel
135s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65c1f656dc9a785a57f222f05bb3439ce519dd0f65254a711919f4a08d6f57eb.exe
Size

61KB
MD5

8ee88356070a343ac68234e60fab1110
SHA1

ee721aede2fc00d908dd7b8892ac630ad9bff254
SHA256

65c1f656dc9a785a57f222f05bb3439ce519dd0f65254a711919f4a08d6f57eb
SHA512

cb0357cf05c1a161c90f0e6c73e99645a4a270d6fddb029700bf84b3bc51e18c1cd4c14aa2d26092172ce187bb8c62581a1d961bd24cd60d339fc0be87d7fb89
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5X:XdseIOMEZEyFjEOFqTiQmil/5X

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
5012	omsecor.exe
4304	omsecor.exe
4956	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65c1f656dc9a785a57f222f05bb3439ce519dd0f65254a711919f4a08d6f57eb.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 5012	3748	65c1f656dc9a785a57f222f05bb3439ce519dd0f65254a711919f4a08d6f57eb.exe	82
PID 3748 wrote to memory of 5012	3748	65c1f656dc9a785a57f222f05bb3439ce519dd0f65254a711919f4a08d6f57eb.exe	82
PID 3748 wrote to memory of 5012	3748	65c1f656dc9a785a57f222f05bb3439ce519dd0f65254a711919f4a08d6f57eb.exe	82
PID 5012 wrote to memory of 4304	5012	omsecor.exe	92
PID 5012 wrote to memory of 4304	5012	omsecor.exe	92
PID 5012 wrote to memory of 4304	5012	omsecor.exe	92
PID 4304 wrote to memory of 4956	4304	omsecor.exe	93
PID 4304 wrote to memory of 4956	4304	omsecor.exe	93
PID 4304 wrote to memory of 4956	4304	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\65c1f656dc9a785a57f222f05bb3439ce519dd0f65254a711919f4a08d6f57eb.exe
"C:\Users\Admin\AppData\Local\Temp\65c1f656dc9a785a57f222f05bb3439ce519dd0f65254a711919f4a08d6f57eb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
ed388892990065f0bb3dae24e4fdc6bc

SHA1
7a1d502ea3b92cd83e52ae4fc35ca93cc6d0dab4

SHA256
0c8de17f5ceadeac85f44e007e42635af6c4f876a83e74274ae7804e69422f28

SHA512
51c5ac5e33ee825ef717e02f0e8a20392dee13800292a2d0904d9785134d9983804ee80ccdead6536eec2d8103fdb74bec14698bf634004e1ee226ed87320994

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
7073e8e28d289c04d1b2b4bf5e06b463

SHA1
5fd090bad1ebeee47eb6c2ffd634671ec6333f7e

SHA256
1f32eaafb1f9fa903df0d19ea5881c32e70338efb0efa6a04ea84bdc42c5b440

SHA512
2434e6f9f45cfa3512ef315c0825ce3ef30a82dca5f4e83fb99013902ac79432c209b32531e83a5da81215396891deac4aa828e17c2d4d517d672c67957c6d7e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
ec7b6e7a067717fa104c4dedf9b79883

SHA1
73fc09e29053bddae6dc2df44b8bef4c1c4f08b0

SHA256
5324440e0cbe935012b349f1570c7a1799c216843b2eca0b1fb51a811f87ccff

SHA512
5a19739111b10eabe5bc758ef2b1a136470e8be394a3d8888ca6adbf2a7a43b8ff7f7cb7c002d7adaa0556b89b648e45c49a4b0714f10a7a875b8909da6625b4

Download Submit