neconyd | 4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe
Size

61KB
MD5

94b4fcf1ef3bbdd5cdc759637cb3ab51
SHA1

99048ab86c5b712ceab0e8e3a735025df0823fa7
SHA256

4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2
SHA512

e942872a4dc15d54f9f3d43e704efeb52918dc84933e6b93956e2e480c11d8ff372b632fb1a2fe73453fe0c733e912f14c0046999d50ac7f0c54f3132cd87452
SSDEEP

1536:zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZil/5:zdseIOMEZEyFjEOFqTiQmcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
776	omsecor.exe
696	omsecor.exe
2776	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 776	4380	4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe	83
PID 4380 wrote to memory of 776	4380	4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe	83
PID 4380 wrote to memory of 776	4380	4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe	83
PID 776 wrote to memory of 696	776	omsecor.exe	101
PID 776 wrote to memory of 696	776	omsecor.exe	101
PID 776 wrote to memory of 696	776	omsecor.exe	101
PID 696 wrote to memory of 2776	696	omsecor.exe	102
PID 696 wrote to memory of 2776	696	omsecor.exe	102
PID 696 wrote to memory of 2776	696	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe
"C:\Users\Admin\AppData\Local\Temp\4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
269eb7202d8d0a894a1ff6a3d2cc2a5f

SHA1
6bda63e2dc4178cc2dd7b9cddc72f1b6aa1ffeaa

SHA256
5474af99b21ce52cb29fb150a0d77349eeeb995ba945618bd91ecf9946f68b55

SHA512
25d385517e829f6eed7dc7b965c2b0753f3bc5923e8eb72ede2991fce9d763422ba370fc8909c315e28a56c35e0f342daa8d9ee961f82579c93fb61ebd095bba

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4b77265990d905fbcb5891e6f09f1c50

SHA1
5b9c03d0c44685667689b9dce403a0a370800279

SHA256
75878476051c0729c8ff64dfb7d76cf7c54a52a1422ea96cbc75a47fd63d2ca1

SHA512
c53e0289a6acd5977936cfdfaa9e07ef10028af4d67d37ab4900e8b0db639538cbdab71681c8df35c1acc3912d78b6d1707c1edc80eedd7bc9d40228ced1754e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
12e5cfc7420a4d845402ddcea8b09702

SHA1
437d2978c9decad184b498cb5cc25968ffb42c64

SHA256
0e922ef83485df2ad4d9223411638ecca5a0bd34d5f4363daaa9e734e5cfde7f

SHA512
b784c9a8513d82e8084ec686421b8543cff7bc394837ccef1d220854e58ae3a9d858144f73306d3a6b9bc797ef798995841687c349d0f5e74e0348e8ad99fc0f

Download Submit