neconyd | a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73d

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe
Size

90KB
MD5

c8e99543794cb8b16b2c7a8f8c93e5b0
SHA1

7edf14b7178e2da719ea797b1ba39b5d0d5559b3
SHA256

a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73d
SHA512

edac828172fd9f58058ac40f199a6ff200bb785a29231fe25b0ab45eb7bfabe6f9d00fbec82ec97e433ecb1a8a7031099063b7e142f9a1e5e913d5bf75fc9e72
SSDEEP

768:aMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAO:abIvYvZEyFKF6N4aS5AQmZTl/5G

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4320	omsecor.exe
2408	omsecor.exe
4068	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 4320	3456	a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe	83
PID 3456 wrote to memory of 4320	3456	a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe	83
PID 3456 wrote to memory of 4320	3456	a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe	83
PID 4320 wrote to memory of 2408	4320	omsecor.exe	100
PID 4320 wrote to memory of 2408	4320	omsecor.exe	100
PID 4320 wrote to memory of 2408	4320	omsecor.exe	100
PID 2408 wrote to memory of 4068	2408	omsecor.exe	101
PID 2408 wrote to memory of 4068	2408	omsecor.exe	101
PID 2408 wrote to memory of 4068	2408	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe
"C:\Users\Admin\AppData\Local\Temp\a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
abd99bcc3e68de9441765200bbe51384

SHA1
9c8dc26b8b9f1c7a5d1d4ada939f267f169ef261

SHA256
d6ff5516c7ed100ef2ba4ed72670f5eaa1d065a16ab9bfc5d1576ee147b6eb9e

SHA512
6dca12eb5431a9a1b5a9f52c45132bcbb4e86a43e2d7645775ec371e96309193454b89548dca2834109e2ef7f01d08c5d67058eed88f3c4a46839f7f9bf89f18

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
e7d2cd0245f3cf8ec5a74f561a48b9f9

SHA1
abba59d2412f0059506c421640fc5f388f207021

SHA256
5c528d647cd99980d98ab2d5f733971735e029ebf9d9ccc2b3c0aeab20528d12

SHA512
fdef2e55b421f2033e466e8dc81ceba74f094587908351067ba3afce713ea35d978c09397c6f6549c29ca6aea2a78d44525d6ceab430b36ed2dd3828bcc83493

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
f216a8acc8bcd0aa1a23ade051a44490

SHA1
c1d691fb013820500b3273eb18f184aa37ff3f9b

SHA256
6a30a0ce82a507062504fc61584036e34c7be93ec7c4f4cee93d6f461bd98d0f

SHA512
f832616a446e182c9a3e2c308dd88768972b27f8b93863ef398bbddbd3b86018b80dbf0480a97489648975b32ba234b6a342bfe82cc3e7afc5023aa9ffd01f87

Download Submit
memory/2408-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2408-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3456-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3456-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4068-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4068-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4320-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4320-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4320-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download