neconyd | 0672e67c346a2f7e34187d701376de895be5abd192f8b09dc0dbef89f7e755c7

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0672e67c346a2f7e34187d701376de895be5abd192f8b09dc0dbef89f7e755c7N.exe
Size

76KB
MD5

f6147bdc684b02168004603bbe1d1f60
SHA1

dd1d9cb0d1d3c3078a30937d569244bc07bc72ba
SHA256

0672e67c346a2f7e34187d701376de895be5abd192f8b09dc0dbef89f7e755c7
SHA512

959e70c9b5b4d70509e703468b31bb7f7bbee34ad38e5c7471c6ff091872436d0cdc634a7e13b7bb315910dee81fd97fe6c015564b2e071b31e7e53362f962f7
SSDEEP

768:O2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:/bIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
216	omsecor.exe
868	omsecor.exe
1584	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0672e67c346a2f7e34187d701376de895be5abd192f8b09dc0dbef89f7e755c7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 216	1396	0672e67c346a2f7e34187d701376de895be5abd192f8b09dc0dbef89f7e755c7N.exe	82
PID 1396 wrote to memory of 216	1396	0672e67c346a2f7e34187d701376de895be5abd192f8b09dc0dbef89f7e755c7N.exe	82
PID 1396 wrote to memory of 216	1396	0672e67c346a2f7e34187d701376de895be5abd192f8b09dc0dbef89f7e755c7N.exe	82
PID 216 wrote to memory of 868	216	omsecor.exe	92
PID 216 wrote to memory of 868	216	omsecor.exe	92
PID 216 wrote to memory of 868	216	omsecor.exe	92
PID 868 wrote to memory of 1584	868	omsecor.exe	93
PID 868 wrote to memory of 1584	868	omsecor.exe	93
PID 868 wrote to memory of 1584	868	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\0672e67c346a2f7e34187d701376de895be5abd192f8b09dc0dbef89f7e755c7N.exe
"C:\Users\Admin\AppData\Local\Temp\0672e67c346a2f7e34187d701376de895be5abd192f8b09dc0dbef89f7e755c7N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
87d718075af274f9dfa697a58bc42f5f

SHA1
9ad568277569bc499ee0f480866e3c3e7be14185

SHA256
3429d14f50fa2bddfba8073dac18a1ac2ced99eb02dbd5c28d493dd76ca000ed

SHA512
9c5a0f74f75ac4a7ff18fd036dabfb20891d6936a8d041a57a51fe747f8adb35b8880d65e21b486a35054507da2a8a34eb8ea3d16c548c72860362406070bf12

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
ffde54d353fc73992978253f4c9abc0f

SHA1
3b44e1f2caa421b19470e562c9829360103ef5eb

SHA256
1027fc49593660c732c3664ae7c0f45c2815d8175fd1a20f98dc0f7e4c903480

SHA512
10bb6737c12ddd3371dd74aaa685dab150c3c698ae6c182c3fe62b589f25ebadc4bb574011ef46ee0d50e24c3d97b33410132e440bd69a643c0a49df9e5cb860

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
331737cc859761b21dae151cf35bfe86

SHA1
cd0edb93b8aafbf45d5d00b153f5d1ba50756fd8

SHA256
d67f114dfa1a66998d3965395f7c20994f282e95381e9d6d49121a4a7712de2b

SHA512
19ee8b0391300b244c9b7c47d6584a4a0cfc2a6eb20c679efd29cce1ddcce40e98e2e5cf453d7d7093f5219cf15ca4006ea0fca57e5118872db90ad43143d86d

Download Submit