neconyd | 0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe
Size

64KB
MD5

2a42938dbcea7415ecc256d45ff9ecc4
SHA1

6db8338d26b5962e40ecb766fff88fed29c7ec2e
SHA256

0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db
SHA512

a746c4f02fb8889edefe5a9834c9db625c09f13902b8683e3883fa0c30d908f3bb6212defbcadeae001ea46cd1ceb5e647aa74f6a881d09131949f028765e427
SSDEEP

768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:4bIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
548	omsecor.exe
2628	omsecor.exe
4700	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 548	1656	0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe	81
PID 1656 wrote to memory of 548	1656	0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe	81
PID 1656 wrote to memory of 548	1656	0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe	81
PID 548 wrote to memory of 2628	548	omsecor.exe	91
PID 548 wrote to memory of 2628	548	omsecor.exe	91
PID 548 wrote to memory of 2628	548	omsecor.exe	91
PID 2628 wrote to memory of 4700	2628	omsecor.exe	92
PID 2628 wrote to memory of 4700	2628	omsecor.exe	92
PID 2628 wrote to memory of 4700	2628	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe
"C:\Users\Admin\AppData\Local\Temp\0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
d52694d8e80e3fe96cc31e28a8f4998c

SHA1
30f7979055db2e7f06499ad2f7485518fd7949d4

SHA256
f8326045c4627c735eb78340b3c562831a8fa199589004e7b225b134b64bb549

SHA512
760225d41a868b1e587b4a33d02d51294285bc8ed80a95dcc3b3f9ea4a68d61c0bf157e2214e156a25d3f28effa91fb18a16989c1ff2bc533cc4fd3914b550cb

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
c2bddf8a957f407524531cf9671ae96a

SHA1
5ca68420340a52528e3d8d6ad39c5d5e7ecaf602

SHA256
8e00aeba75275bb35d1b78c01c80a22178d0bce99df49382ff23e42d0264c5ad

SHA512
ecc59d365c6ff5a1275456b5111a1c7406c72711d10ade300146000fc852cce987a90a8d50e34e110b2bf04e0b71cc7ac32c09455225b6e92676f35b1cbb52ec

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
af4e9c43358eaa5a4d7b4bdb89cbaad5

SHA1
1849ffbba6a14d2730e23b98e33fc16e6c2afc8e

SHA256
1810e268b8e19d5a25e2c553e7f74cb227580b519eef2f8e2d501f2e9cee2347

SHA512
680e9836222066b56aa13cd0027190dde47b3192c05b33e804faeb85168ae72e9e7673cd6b8b054a6c9f2389ecb0ccac6bff76b330623573f71dd672dd3282b7

Download Submit