neconyd | 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/12/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
Size

90KB
MD5

4cfcc2372b0d1cec4ca5cd9de9c37d45
SHA1

9296d10dcd3135c5744e32409c2c4b5340d91419
SHA256

92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6
SHA512

e0832dcc6b19a14e90feeb51d5ac78628294c49d75b1dacb1a68d047680d0919b6e90fd66c85e2a2c3b1abc1b233344ca79e9f07f96e30858c1c87fb929fb671
SSDEEP

768:GMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA6:GbIvYvZEyFKF6N4aS5AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4788	omsecor.exe
2964	omsecor.exe
3748	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 4788	2052	92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe	83
PID 2052 wrote to memory of 4788	2052	92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe	83
PID 2052 wrote to memory of 4788	2052	92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe	83
PID 4788 wrote to memory of 2964	4788	omsecor.exe	101
PID 4788 wrote to memory of 2964	4788	omsecor.exe	101
PID 4788 wrote to memory of 2964	4788	omsecor.exe	101
PID 2964 wrote to memory of 3748	2964	omsecor.exe	102
PID 2964 wrote to memory of 3748	2964	omsecor.exe	102
PID 2964 wrote to memory of 3748	2964	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
"C:\Users\Admin\AppData\Local\Temp\92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
d52fd52d4441f5ee67672390b796c4b6

SHA1
2443247a601ee381fdf25b181b1ef3318b978b22

SHA256
917b3096550cfc7ba281772450566505ef1bc9891a945dfab502a50d538f81c2

SHA512
be8ae7acbca2618dd502b4db203c3aedd5ffcc33709f49f7a3d4a4b84b4f258fb85fdb388540c7e05c0be5d4bd8d0c4813cef631824ce5636973016961275ed8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
8dee2d8cae1e243c9808a04cc886c746

SHA1
c501945a7d593253b68d2e99063bf5d68fda83b9

SHA256
bdc917a2b628176bebdc844a510f84bc568088d971514be7fce9ae29d0f63df9

SHA512
bfd3a84e8fa78b0bf440417a15f0a70a4906b7685c9c0efb13f9304db2df6f3edf26690c83cddd90e45c3448f78bd86ca4dd4349f6747d043a03c6fe348c6df6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
9ccf829d4e11196f79c301c95ed497ff

SHA1
6e8967757e1136364e0c217c1662b1d108225d4e

SHA256
182dbbcf3b7a64e0d5dc304d39317958441fe579194445fbe93e0b59bd3c3d91

SHA512
5092c0ef600119e866341c0fbfe56a46245ff7c9c611a10ddcaafc1a693543f9a734948fe399867cc40cfc3a8c92452197c3eed2ad73269b460d864b7bf43242

Download Submit
memory/2052-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2052-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2964-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2964-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3748-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3748-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4788-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4788-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4788-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download