neconyd | 7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe
Size

76KB
MD5

58283dc9e1a09139b0de697a8ff26b88
SHA1

bed5a32685e344306c973b80f675570b3ddd784f
SHA256

7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1
SHA512

4cc6ee9d4d4a357229ebd2cafccaa38c1bb5c1e299b391471893dd1b8f2a7054392cbbb6636208a0063c06f63ddad5ccb876abfe128d0baf058baee6909de355
SSDEEP

1536:Jd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11H:JdseIOMEZEyFjEOFqaiQm5l/5w11H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4924	omsecor.exe
3144	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 4924	2084	7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe	83
PID 2084 wrote to memory of 4924	2084	7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe	83
PID 2084 wrote to memory of 4924	2084	7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe	83
PID 4924 wrote to memory of 3144	4924	omsecor.exe	101
PID 4924 wrote to memory of 3144	4924	omsecor.exe	101
PID 4924 wrote to memory of 3144	4924	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe
"C:\Users\Admin\AppData\Local\Temp\7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
eadda070ba850be2852053179dd29806

SHA1
42567c79508203895f211d05e950064737f07416

SHA256
0d56384533bee6ac5e0c299965ed608d339b1becc67f14fd0a0236dadc7f2c57

SHA512
a3766bc26f4d9ee40daf9e7f2d8646fc5276ac5651e820690c4cfb93e0c88f416eb6e37f182bbdac579081036f1a74f8c32e334dd788818406c10ccd032e3850

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
bd7253422e2cc55291f8b0a1c2be2463

SHA1
38f4d794f7d61a97fab59c9eb8e2072c00a3ac1d

SHA256
0ae4eacb6b3ffeef5cded99e818a34a9e4bc8b7bd0d27fbb573439720a3f644b

SHA512
937e3174fb92d2a36604c66ab8d60bc797ed3c8c6477d1a431fff242a71570cb2925f9409f0a5ba7e5eeaab01906ad283ee54c13290815917de38b7bce63af80

Download Submit
memory/2084-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2084-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3144-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3144-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4924-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4924-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4924-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download