neconyd | adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe
Size

76KB
MD5

90caf5eae22950b61696d4ff2cb82c56
SHA1

5f9acc7c2e74b7e409cd7dafaed10f6c67bbab09
SHA256

adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4
SHA512

8592fbd9730d5ca2a38ea5569b8ceb60790e53cd9a0a4ac2b8f0a2de5c2df60d3b1bb3deeb4a180d4711905edb44e5c5e78e40db5c6f6bc630859eb957913561
SSDEEP

1536:Ad9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11:gdseIOMEZEyFjEOFqaiQm5l/5w11

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3140	omsecor.exe
2976	omsecor.exe
3996	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3140	1168	adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe	82
PID 1168 wrote to memory of 3140	1168	adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe	82
PID 1168 wrote to memory of 3140	1168	adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe	82
PID 3140 wrote to memory of 2976	3140	omsecor.exe	92
PID 3140 wrote to memory of 2976	3140	omsecor.exe	92
PID 3140 wrote to memory of 2976	3140	omsecor.exe	92
PID 2976 wrote to memory of 3996	2976	omsecor.exe	93
PID 2976 wrote to memory of 3996	2976	omsecor.exe	93
PID 2976 wrote to memory of 3996	2976	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe
"C:\Users\Admin\AppData\Local\Temp\adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
bed9472bc2ff50b52643df9fd7790c87

SHA1
c77b78e906f5663bd29851bb8739eff508bf0306

SHA256
5331eecfba6e658b8f37f952172d31bfe7fed5c3f7c2819dd51d1563676259c7

SHA512
ea6d252e6dc6488614cd13c2f34c8874161587fe52ad3fdbec2a741e912ca247161ea6c07a26dc02c416ad388d5589ed5022e49ff65edddef446ee065e500719

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
fbc0ebfa2114918aaf6f931f7e24d472

SHA1
982c415147db16cc5f52041420f14666973dbf90

SHA256
5d6ab12bddc043148c3c76ad567b433006b0f8694b9fa048ab92737f290fb80b

SHA512
0bf88ab605d429624d60e38da25c05830245d6a4977a1463a0051ad75d83352089a403b187683034e2fbcd3055060d61c0e3a02f8049fead7d0738f28d498d7c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
3e2408e944eb61579f3bf52dcc6f98e4

SHA1
d9af9e744aceaa7ad69c6b6d0b88b32fe2153a58

SHA256
82cf3f56ea961e46a70a4736d56c8d4f865d06a366c6b1f29f6f11988629efe1

SHA512
83d21b9ff07cfed403490259d6d8e2a3aa42e8a5dfe2aecbd861b48ed875a7ab619f69728dffd00c209e9215bb112c656b208acae55bb2835e49d86afce565e3

Download Submit
memory/1168-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1168-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2976-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2976-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3140-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3140-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3140-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3996-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3996-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download