neconyd | e8ec10d0158b89112a1d9de0fd81ca0a8f36d83ee46286755d0f8cc7073599c5

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8ec10d0158b89112a1d9de0fd81ca0a8f36d83ee46286755d0f8cc7073599c5N.exe
Size

80KB
MD5

b0957e5c9f6d968a760770b1fc07de70
SHA1

bfa31c35bcf1858fcdf8ae02d8e7b5b0efe276b6
SHA256

e8ec10d0158b89112a1d9de0fd81ca0a8f36d83ee46286755d0f8cc7073599c5
SHA512

214e2ac4521ff8991841c9f028075565a79957052f5e1a0b0d5f45de2c8427c5ed79def4eaff1850ef052505e849bca933b2f715dea21b50cb5993302b50ad47
SSDEEP

1536:Wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:udseIOMEZEyFjEOFqTiQmOl/5xPvw3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4396	omsecor.exe
3436	omsecor.exe
5060	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8ec10d0158b89112a1d9de0fd81ca0a8f36d83ee46286755d0f8cc7073599c5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4396	2652	e8ec10d0158b89112a1d9de0fd81ca0a8f36d83ee46286755d0f8cc7073599c5N.exe	83
PID 2652 wrote to memory of 4396	2652	e8ec10d0158b89112a1d9de0fd81ca0a8f36d83ee46286755d0f8cc7073599c5N.exe	83
PID 2652 wrote to memory of 4396	2652	e8ec10d0158b89112a1d9de0fd81ca0a8f36d83ee46286755d0f8cc7073599c5N.exe	83
PID 4396 wrote to memory of 3436	4396	omsecor.exe	100
PID 4396 wrote to memory of 3436	4396	omsecor.exe	100
PID 4396 wrote to memory of 3436	4396	omsecor.exe	100
PID 3436 wrote to memory of 5060	3436	omsecor.exe	101
PID 3436 wrote to memory of 5060	3436	omsecor.exe	101
PID 3436 wrote to memory of 5060	3436	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\e8ec10d0158b89112a1d9de0fd81ca0a8f36d83ee46286755d0f8cc7073599c5N.exe
"C:\Users\Admin\AppData\Local\Temp\e8ec10d0158b89112a1d9de0fd81ca0a8f36d83ee46286755d0f8cc7073599c5N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
29feb114283e09db608e1e4b087bc9ac

SHA1
2cea1c6a5a0186b207d1073d96b1936ffd6f583f

SHA256
2f042b1716649b833fa5eec6515cf5e7e078353b37768811f04896dd4239091e

SHA512
dbdff85a1139026cd2152476dcc39bc8fc97e39a9f732068174a43c0c39a0d380b24f52c25df0806eebe7b293854dcbef8695061d7644f562d5c8326df92deea

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
bae5be294b8f2c0415511adafa382b9c

SHA1
c3300563bff47787b147d2bd365c3bb9096c4a68

SHA256
c0c5d0a7baac8d2d6205bec4b17a73826416c3d9ff7804b958acdc7bec8dbeaf

SHA512
8db6acc3400c3d791d4c385c0a05036f4f297d57e0e108cb011c813a519226f48eb638bfdb26237b1ccebbeb49c034593e860bf6d522de205a932c207471cb2b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
a8ee71012550d189c1829035c0211a14

SHA1
47df18dd3c14213d46d7c6b9395ea89737deb29a

SHA256
18492d05352a760e0b497fde7fce276b439377b30710f77faea9d18c71cd1bfd

SHA512
7a074b7993b014a691ad8f134be539d25c9ae7d1564f194b65d92b63e9fde35e6e78a662a4b1d598429f17d8750ab9357c2cadfb28a384636597fdc4c720dd90

Download Submit