neconyd | 45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe
Size

88KB
MD5

73a2ffa70e42ef92001b48d19f303290
SHA1

1fdb6315973a91a139dcac8f64502a5dd60ded6a
SHA256

45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9
SHA512

7bf64747cec0bb908c70d58273c1076c508c870f32383d85fd5eaf233b10e1504d59eb7ee80d6b0c00f380877e11564e4bf6b82958e9c1984f754fa627f04cdd
SSDEEP

1536:qd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5z:qdseIOMEZEyFjEOFqTiQm5l/5z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
5116	omsecor.exe
4380	omsecor.exe
1316	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 5116	1312	45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe	83
PID 1312 wrote to memory of 5116	1312	45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe	83
PID 1312 wrote to memory of 5116	1312	45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe	83
PID 5116 wrote to memory of 4380	5116	omsecor.exe	99
PID 5116 wrote to memory of 4380	5116	omsecor.exe	99
PID 5116 wrote to memory of 4380	5116	omsecor.exe	99
PID 4380 wrote to memory of 1316	4380	omsecor.exe	100
PID 4380 wrote to memory of 1316	4380	omsecor.exe	100
PID 4380 wrote to memory of 1316	4380	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe
"C:\Users\Admin\AppData\Local\Temp\45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
422bffcc840752cbc1fd0798c9111da1

SHA1
abf2e722fceee403f1415009e3e64d6bf7699cfc

SHA256
dc36b23b69a788574b0dbce01959cab7f8a7438928c7cdf6a95ddac9a0623a96

SHA512
9bad446528f0a029f356823e1279fc50badbb31f80d5923a424ff6c38d714aa000277626dfb3e5b927f5aef9deb7fee294b450bfa69779a6525505389a1163a9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
9e9712f490d66cc0db854df20815b376

SHA1
0dd839d84dce8ed4a82c35364964af516c7bf5f5

SHA256
d3c3c6f82c005a4cb8e2587dd30ae5faf411a5f61019d8525f8b18ee734ca8ff

SHA512
231117fdb786abf30fe356a5cc18e7e618e715bf802a23afe239532299498c47f03d18bd2a665f4bec91e4d59355bbb9eb6a65124663796d3eb1c10e84c63e19

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
cc5677846b978cbf3aa3243917b733b8

SHA1
23489af6604efafdb40b62c6645b3d88846f5226

SHA256
33e04b6c606ab2c943befe10e26a9b56f20451c6fb8312851f458f632bfad0b0

SHA512
11ae84815e95bbc67cc1db25db1b30c684e6a5f98684a4f69799e860c7abf470aafc57406d04ab909dc345dbb086ef0613ac4a68112e13c61e7626b7c02a1958

Download Submit