neconyd | adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe
Size

76KB
MD5

90caf5eae22950b61696d4ff2cb82c56
SHA1

5f9acc7c2e74b7e409cd7dafaed10f6c67bbab09
SHA256

adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4
SHA512

8592fbd9730d5ca2a38ea5569b8ceb60790e53cd9a0a4ac2b8f0a2de5c2df60d3b1bb3deeb4a180d4711905edb44e5c5e78e40db5c6f6bc630859eb957913561
SSDEEP

1536:Ad9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11:gdseIOMEZEyFjEOFqaiQm5l/5w11

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
988	omsecor.exe
2872	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 988	2640	adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe	82
PID 2640 wrote to memory of 988	2640	adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe	82
PID 2640 wrote to memory of 988	2640	adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe	82
PID 988 wrote to memory of 2872	988	omsecor.exe	85
PID 988 wrote to memory of 2872	988	omsecor.exe	85
PID 988 wrote to memory of 2872	988	omsecor.exe	85

C:\Users\Admin\AppData\Local\Temp\adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe
"C:\Users\Admin\AppData\Local\Temp\adc9736e5c213fba5d47a7788f96cf26d7fdc76c42dfe5d9de6502e699e232b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
fbc0ebfa2114918aaf6f931f7e24d472

SHA1
982c415147db16cc5f52041420f14666973dbf90

SHA256
5d6ab12bddc043148c3c76ad567b433006b0f8694b9fa048ab92737f290fb80b

SHA512
0bf88ab605d429624d60e38da25c05830245d6a4977a1463a0051ad75d83352089a403b187683034e2fbcd3055060d61c0e3a02f8049fead7d0738f28d498d7c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
de6eb25963ca0dc91fa388b9d3bead4e

SHA1
85d2512ae26f86a035c6c1e2946a4e719655664d

SHA256
72fabfffa55661d4344bbf9e8831ca1534affc31619ec81bceac9d22afc8ec38

SHA512
ef795406ae13bd28405ed5f6f4c8f879c9a2159f99de03864670eed1575a7c97f2ba7fc48f33c8b41e43260da7cc7c9e4ea08bdfc261b69dd1016f7e7d0e504a

Download Submit
memory/988-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/988-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/988-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2640-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2640-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2872-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2872-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download