neconyd | 8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2024, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
Size

64KB
MD5

1d905d3fd788fac0e3378e27d7f6c23e
SHA1

3ad24ef474429a940184a11ea45dc8ef6faabe23
SHA256

8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345
SHA512

dd8d7effe7f5acb9b8035b5914f4db305f0dadd348adab7eeed564e33c83069df9cb8bd8bb2392825adccc6962d7b7bea3b7dd6a88e74c93005aff35b1cbb744
SSDEEP

768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAN:4bIvYvZEyFKF6N4yS+AQmZcl/51

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4488	omsecor.exe
2360	omsecor.exe
4324	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 4488	5044	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	83
PID 5044 wrote to memory of 4488	5044	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	83
PID 5044 wrote to memory of 4488	5044	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	83
PID 4488 wrote to memory of 2360	4488	omsecor.exe	101
PID 4488 wrote to memory of 2360	4488	omsecor.exe	101
PID 4488 wrote to memory of 2360	4488	omsecor.exe	101
PID 2360 wrote to memory of 4324	2360	omsecor.exe	102
PID 2360 wrote to memory of 4324	2360	omsecor.exe	102
PID 2360 wrote to memory of 4324	2360	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
"C:\Users\Admin\AppData\Local\Temp\8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
e98e3b30f0f1c1fe452306660a0268f1

SHA1
0724d337ffddfb6c41e8e0ae6f44503598479fdb

SHA256
12567c9f3b4e04aa681f52e835a60536ccb054047c3cae240724b59d5ab7bd41

SHA512
9e5e150e505a158832290ab8deb343af582354cb0b386f14127432a08d03ab7345f277a457df3ebca3c1b08c6a46b88d079fc4c47e0a6ad1b454c9c5f59b17a3

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
dfa4656b019a0a8547be798bdd4697ba

SHA1
505168953ac269f870d6374be0273c20a0f63c53

SHA256
cf37ba3dd13db0a995b71c16afa790849fc0e083fe3942692f45ad3af8c1e976

SHA512
b8d518747a72032541923a501be7a3ae9c2a27a26d47c0cef1cc882baa7634faaefe8cdec4037179f1b56bed6484b61a025ef86a443187f2c538e840ea863068

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
37f8771255bca698f67fb0af83ee3340

SHA1
372b10a22007e3debf7582db8cda6d32f88a84fd

SHA256
efd9842f7fd6bc63da876990cbb60eedaed1054d7279e34eda5bb7f20c2e754b

SHA512
421f67e356877cce11dc2246d4a7b655016b50510d1741ffb9de1dc5001277efc6fd833340e29a848f56620cb9abc7cd576aac6c44e6941c7d48569e59cc38d8

Download Submit