neconyd | 13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cb

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe
Size

33KB
MD5

287dd909d7d485c2f7937951e4fb2050
SHA1

3e3ae817e27459a7de49a12b750a403539335b32
SHA256

13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cb
SHA512

9c97fe1336bd377dd67f18f65a087941c1308feb1037b0e1e63c1aea868bca64df944c0c3d53c72e5c9252f0fb6492f423d2d32b8673b23984defdcf90729bb9
SSDEEP

768:3fVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:3fVRztyHo8QNHTk0qE5fslvN/956q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
3604	omsecor.exe
1284	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 3604	4268	13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe	82
PID 4268 wrote to memory of 3604	4268	13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe	82
PID 4268 wrote to memory of 3604	4268	13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe	82
PID 3604 wrote to memory of 1284	3604	omsecor.exe	92
PID 3604 wrote to memory of 1284	3604	omsecor.exe	92
PID 3604 wrote to memory of 1284	3604	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe
"C:\Users\Admin\AppData\Local\Temp\13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
75088bcfb8598df01e051afa17b7329a

SHA1
108d0c2a5d84d296b2c35804e9cd46c79288d82c

SHA256
93303728b047b2c6f9c29d220e5bfcfe1ca433ae69870e4077445a6daacc386b

SHA512
d2f7049883a951ffaff9f660254b52e59cc33afd77b0d99c90a60d38d506f7377b366ce033a824666ab62fea1f55e5f47ef6d61643588c559eeb139efc9f6959

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
185d1763299ea252be333dc90cfbb6ab

SHA1
d1ebf3db262bbafc18208465f150767f05cc0d1b

SHA256
459e121250359b812684d96b2cd245129aa482639cc52e6dee61956f73ac14e9

SHA512
27858cfaaac6983c6f7437408cc00198325ecd91a8ca803dc929dc0f85a761748c8d79dfbdc5abd88edf8cb444f8d3da52f8201b82a28537bd6a2f77877336d2

Download Submit
memory/1284-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1284-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3604-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3604-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3604-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3604-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3604-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3604-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4268-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4268-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download