neconyd | a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808

Analysis

max time kernel
116s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe
Size

88KB
MD5

49eb23c4378f48dbc96a6f0435bf70a4
SHA1

e2cdd469339b7ba9461f71af8f8fdfeea06cf9ca
SHA256

a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808
SHA512

d16e8e7fd3382a000096dc04c3033c892aff2deb4ef652d89d1e9b99429c3e44eace35f6450a1d071ae6b35711a6fff38ca348897349a5b31410b289a78abe82
SSDEEP

1536:6d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5J:adseIOMEZEyFjEOFqTiQm5l/5J

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1768	omsecor.exe
2200	omsecor.exe
4424	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 1768	3168	a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe	83
PID 3168 wrote to memory of 1768	3168	a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe	83
PID 3168 wrote to memory of 1768	3168	a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe	83
PID 1768 wrote to memory of 2200	1768	omsecor.exe	100
PID 1768 wrote to memory of 2200	1768	omsecor.exe	100
PID 1768 wrote to memory of 2200	1768	omsecor.exe	100
PID 2200 wrote to memory of 4424	2200	omsecor.exe	101
PID 2200 wrote to memory of 4424	2200	omsecor.exe	101
PID 2200 wrote to memory of 4424	2200	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe
"C:\Users\Admin\AppData\Local\Temp\a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
bf93cc2ef5863f8cca452f11ad802d86

SHA1
09982fa91f8951798cf48295c9eb6ebe8683d4ca

SHA256
5d0be18001d4d001099879b470793ee52ef463b46370dfba8e9e9532c41050c0

SHA512
61975bf837e87314929c9a5e2f585f45f7165e70fc64fcf1cd52420e4f3f5c5f1bf019f360c4b757acb59a67f6a5b31c91b6add448851ed03f72f10fe918cf1b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
2f8e6542697e6a93e968d2cf61f1882a

SHA1
d6b3c87245f1aa9a5a6c6e4ceae5132f30ba854d

SHA256
885b04bc70adff1b8318af68156170f63c35e0fbc37b2413f22238e4747cd749

SHA512
0df698027cb3bf842f578705835064aec6ec2bf2b5f1b7a0982bbd203c4a37c30db15f18735222a7cd32b7b179bb13ad3a5012a896636385d3d220e3ca47c291

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
a0905d5938f7dea4b999abcbcd777b62

SHA1
9269e77ac787a227373348f9d536c2aa7d8bb6fa

SHA256
6ba87b9196f9ea65579c257d251e6f9ed6d402cf0fcb6be73e97ede46903b3ec

SHA512
96709b21270032a06a9a19d94285a56807c73d0c697e4b34c3545f1dddd8d48c1761f2df3719c2d4f13a0f7c4019fc1ca6b99edf051fc1503502247909dbef28

Download Submit