neconyd | c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe
Size

62KB
MD5

aedb8c1eb7c3afae98c4ac358c7f9db6
SHA1

22de0468ec542fcb302cb46a1314ddbd6c1ffdef
SHA256

c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667
SHA512

a7c115d7c52565e9f9d4843042df3246f4fbb5f7cbcabacd8edd8ffd99a76e880acdcb2f047af03bd7e77f2e420ff3f8649daa8a2fe82f26a2b7f5b5772a7582
SSDEEP

768:IMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uAH:IbIvYvZEyFKF6N4yS+AQmZtl/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4684	omsecor.exe
4256	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4684	2324	c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe	85
PID 2324 wrote to memory of 4684	2324	c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe	85
PID 2324 wrote to memory of 4684	2324	c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe	85
PID 4684 wrote to memory of 4256	4684	omsecor.exe	102
PID 4684 wrote to memory of 4256	4684	omsecor.exe	102
PID 4684 wrote to memory of 4256	4684	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe
"C:\Users\Admin\AppData\Local\Temp\c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
95e5580ee9bb4920f002a3c812bbd1a1

SHA1
c52bdc6aac22eee1ba474f3381d475e2bdb74780

SHA256
7a0f9eec4b59202117bd1a01c108309910685f1f2c8065675f676029f1e28cdd

SHA512
2044279cb23e58dec44b9e41eabd02a7fd04eafdb8c94d79c01d666c281d7f7561a72b07f7683ad53aeba6642e0a3c9141dc89a54ae08a91d1d7622311026a0f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
62KB

MD5
6b66d7e6098d55c571fbdb97dd64261f

SHA1
1891302bfa0a590a9577c2cf1ba0c90373862b80

SHA256
975b0e4c57f19cae0d4195b533af8bf65f08ce1d1ae4a9e08d49cd617dec08df

SHA512
99a6669267e19531ba0cb16e31ba6bee902ff96b4a8b4e94aa07306853f34462759906c79fb9506c94dba337f9fb36d11548b80c2875748a51c578c44f24805b

Download Submit