neconyd | b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3

Analysis

max time kernel
114s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/12/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe
Size

71KB
MD5

9c9f4c915ed4b9b1c5a1b9fbd9ce03d0
SHA1

9b77dd084506bde314014e7219a50e406d2ae947
SHA256

b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3
SHA512

3f383782f0914228a6d4cd630388b92b46f0884780b2ca4c707253cfc24d72e55ff103c2b97257b02b84dde8aa96cda32fac3bc084fccd28675cc0cb4ee17f2c
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:XdseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3516	omsecor.exe
4464	omsecor.exe
3604	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3516	2140	b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe	84
PID 2140 wrote to memory of 3516	2140	b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe	84
PID 2140 wrote to memory of 3516	2140	b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe	84
PID 3516 wrote to memory of 4464	3516	omsecor.exe	101
PID 3516 wrote to memory of 4464	3516	omsecor.exe	101
PID 3516 wrote to memory of 4464	3516	omsecor.exe	101
PID 4464 wrote to memory of 3604	4464	omsecor.exe	102
PID 4464 wrote to memory of 3604	4464	omsecor.exe	102
PID 4464 wrote to memory of 3604	4464	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe
"C:\Users\Admin\AppData\Local\Temp\b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
b62aca0d63f99dc36b21743d318f8691

SHA1
abbe4a8b878261324a0763e732fb50b22fac96c6

SHA256
ffb72b4b996c9dae65f77ed5ffb22363bb6c441037ac7dacfd75ec76c6934b17

SHA512
a0e704f4abab6a7b7c83cdae313997528748e11dc1770afde20912d58f40339e0ea6b3bbd9e1903d2b552b4557bca1342e5accf9b276e40361866d6fa54693cc

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
eb9bc978e7d1c4060d2a1e5df0987c19

SHA1
18f4d4c2f5eaadc7e665db717253d8745a6b77b6

SHA256
345be743e6fb4168737d463929811aaeac78d20794be0501c6a3d2380718d1b6

SHA512
3dbbb72e33e4426c622d67fd52220e9630051b01f0ad97d9760ec1efc612f5be42825b42711107882e67b4140300def173f36d7a644e74f6b6f24550fc7bdc82

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
78f1e2f1145722f9e893ea550dc6eed5

SHA1
5529dc4adbe8093249d4e1dcc9a2d5d0569baa12

SHA256
6f7cd82bf9921caa37a5efda7ddf4e13a400617c0e626abd5927cafebfe5e38f

SHA512
058db1080a4132c28f1e6e808174bad03964d15ec2b655df4526b09d8b5e9ae6e94b3537b008f38d1e0a5b80fd3c615ed10dd9211e285bc980c7d814498e0c2f

Download Submit
memory/2140-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2140-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3516-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3516-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3516-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3604-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3604-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4464-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4464-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download