neconyd | e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7

Analysis

max time kernel
119s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe
Size

88KB
MD5

90da53acc55d7dc094402216130d6fb0
SHA1

6514620fb963d50a859dd627c29aaea2dd3c1017
SHA256

e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7
SHA512

379b1c0cb65f1b2656b995cd4e269dffb06cb6df5cb52bf0f6d5c55d309f68aac36740350968b1fe7afe71c245f2796f67f3e41a189c54aefe41d704745bddba
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5R:LdseIOMEZEyFjEOFqTiQm5l/5R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4284	omsecor.exe
2336	omsecor.exe
3780	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4284	3176	e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe	85
PID 3176 wrote to memory of 4284	3176	e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe	85
PID 3176 wrote to memory of 4284	3176	e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe	85
PID 4284 wrote to memory of 2336	4284	omsecor.exe	104
PID 4284 wrote to memory of 2336	4284	omsecor.exe	104
PID 4284 wrote to memory of 2336	4284	omsecor.exe	104
PID 2336 wrote to memory of 3780	2336	omsecor.exe	105
PID 2336 wrote to memory of 3780	2336	omsecor.exe	105
PID 2336 wrote to memory of 3780	2336	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe
"C:\Users\Admin\AppData\Local\Temp\e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
f777f0ff85e83bb53a8d0365dc588330

SHA1
713f6ed0ef4a948668389ebc85b17c5358e5d6fd

SHA256
71f9b85c775e8a9526dcdd4feed87e5bb000e76d4271c79336c4de06f278d440

SHA512
5351c7320a0cecbcfa1cea26a915bc2d47bfcbe652b4ad87d1ceeec2abcd4704b087f4ac08a463afa350beb0c4996fdbfa4ded5259edbf2f38d6f6a09641828d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
81850f2b6f195e787c5e5aa4b659e592

SHA1
f055e0f20f00cdb552db09c769492c1cef33b4cf

SHA256
f418bd53decde76f37db315fb74d326c0bc48caeb03918abfdc1edaa66133b88

SHA512
c50126d563518c0d2661bb5a2851957bdbe1309a0f5190c148aff11e804e1212914c510813126e77efdadae22a296126035ed28ba60d1dda3ea1f7d86c96e53d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
1d9c9b6ff83108dcafb0c9fee2b803eb

SHA1
4632582753e17f2c2b46afde85c2bfb502de932f

SHA256
5e70ecd8523ae69c8d8453267a49fa609c6d27d3598f9626433fd9ae45b0fab9

SHA512
d072430a43270c16058a760a071ad679d5e8ece2d3b3635337e2acf55a7eab9567575ec8730682ad5e1394dab07347629f857ccd097f6867656bed4bdad61e5d

Download Submit