neconyd | 3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe
Size

76KB
MD5

a4bc7c45722cf2a4f9a6759b885bad6c
SHA1

a7c74bab40d8db95ad9fd9fb30dce5491f257e7f
SHA256

3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e
SHA512

17eb0bf4e9e3d13652c9fc0484f50a1477f840199b92715d24bf3b21be0bc670619aa64eff2a6f59fb48d25ae1f3d4abdb2fbc96acfaac247be1f9a91fcd30b1
SSDEEP

768:O2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW7:/bIvYvZEyFKF6N4yS+AQmZTl/5O7

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
228	omsecor.exe
3488	omsecor.exe
2256	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 228	3108	3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe	84
PID 3108 wrote to memory of 228	3108	3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe	84
PID 3108 wrote to memory of 228	3108	3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe	84
PID 228 wrote to memory of 3488	228	omsecor.exe	94
PID 228 wrote to memory of 3488	228	omsecor.exe	94
PID 228 wrote to memory of 3488	228	omsecor.exe	94
PID 3488 wrote to memory of 2256	3488	omsecor.exe	95
PID 3488 wrote to memory of 2256	3488	omsecor.exe	95
PID 3488 wrote to memory of 2256	3488	omsecor.exe	95

C:\Users\Admin\AppData\Local\Temp\3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe
"C:\Users\Admin\AppData\Local\Temp\3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
58e388ac9367d2739362caec7a761931

SHA1
4b19d103ccd07fbc56521b0245475f188e73dd01

SHA256
bc8ee3d7e0d86633cfcf7f1d394625618d35558b14eb1e43607b367f3c928fab

SHA512
fbd907ec6c1395b60ba78d87efa50f72d800f3f71eb473459515edab07ae7cba8441bc784ec642b8c07f689d14d618fa2e30f017688b8adb8e01c21bd8ba87a5

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
0339db149beadf21e05483499ed5aff3

SHA1
aace77dce9a892c04d3221d57a2d81bd4b6300bc

SHA256
aa8e9a6a6435c7e6ab638dc56a87c53c8fed6f20510c96fcbdd490c1ba125e44

SHA512
d9ae87870af02f99359e997c399bb8ac0778ac2a6bc855101b9662410307036f1eb8eee53bbb2bff7043094012a50a750bcd2c559e04fb0f27676e10e21a03a4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
9d600b5ae7f08d6bfc185dd73057aa12

SHA1
5924daffa34bb06a0a7f105fc382e1536623eedd

SHA256
c657d6cd17b728d492638d50a5cbe9938d7ab578297d5226571f7a3fc594fb40

SHA512
2f0438837222ee77792b968c17a5df9b3e4fb752e5879a63f97909fdd52a9211891ef10a9e05ea8e218011c28e5edafb0db17ce00cdd593abbc07c1b5d9126a0

Download Submit