neconyd | 8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345

Analysis

max time kernel
114s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
Size

64KB
MD5

1d905d3fd788fac0e3378e27d7f6c23e
SHA1

3ad24ef474429a940184a11ea45dc8ef6faabe23
SHA256

8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345
SHA512

dd8d7effe7f5acb9b8035b5914f4db305f0dadd348adab7eeed564e33c83069df9cb8bd8bb2392825adccc6962d7b7bea3b7dd6a88e74c93005aff35b1cbb744
SSDEEP

768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAN:4bIvYvZEyFKF6N4yS+AQmZcl/51

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4764	omsecor.exe
4344	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4764	3092	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	83
PID 3092 wrote to memory of 4764	3092	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	83
PID 3092 wrote to memory of 4764	3092	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	83
PID 4764 wrote to memory of 4344	4764	omsecor.exe	100
PID 4764 wrote to memory of 4344	4764	omsecor.exe	100
PID 4764 wrote to memory of 4344	4764	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
"C:\Users\Admin\AppData\Local\Temp\8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
dfa4656b019a0a8547be798bdd4697ba

SHA1
505168953ac269f870d6374be0273c20a0f63c53

SHA256
cf37ba3dd13db0a995b71c16afa790849fc0e083fe3942692f45ad3af8c1e976

SHA512
b8d518747a72032541923a501be7a3ae9c2a27a26d47c0cef1cc882baa7634faaefe8cdec4037179f1b56bed6484b61a025ef86a443187f2c538e840ea863068

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
830ae0f121ae80ecd78a9d730ed0dcd5

SHA1
75d2ad9be12579183c44dbde8ee02c2b3e52428a

SHA256
6c4ee87b78de7e4fb51dfba692ea7c9a46fac51c1002e7c66f325ed3bab25eb7

SHA512
a4094ece040cc5620acdb6f27cd9e9d0a12f6cae0162c44ae43d2b48f8d0e41df3ddbd31725124d017f6f4d7617f6810a5943e45059d06b961c3317d9b435988

Download Submit