neconyd | d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4

Analysis

max time kernel
119s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe
Size

61KB
MD5

4e72910783d6d50b3057fb4c867c8a30
SHA1

41e7631e7e2d54e224ddb8aa4d11250037e37fad
SHA256

d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4
SHA512

c528af3f7dff28c1d077ca67f54f6ff1c6585ce2a0f9b36b6cd3777a7ffc2fc000cddb1eb631667c528ab1a53815c9125f9ad94e6faf46e892b1ba5d0dcad653
SSDEEP

1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZOl/5:7dseIOMEZEyFjEOFqTiQmYl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4984	omsecor.exe
4980	omsecor.exe
2844	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4984	5008	d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe	84
PID 5008 wrote to memory of 4984	5008	d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe	84
PID 5008 wrote to memory of 4984	5008	d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe	84
PID 4984 wrote to memory of 4980	4984	omsecor.exe	93
PID 4984 wrote to memory of 4980	4984	omsecor.exe	93
PID 4984 wrote to memory of 4980	4984	omsecor.exe	93
PID 4980 wrote to memory of 2844	4980	omsecor.exe	94
PID 4980 wrote to memory of 2844	4980	omsecor.exe	94
PID 4980 wrote to memory of 2844	4980	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe
"C:\Users\Admin\AppData\Local\Temp\d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
0883555b1c237e502eeca1158e89bbed

SHA1
4037caefb0690cf46be21e002508282c0d7261f4

SHA256
dc5d0a5ac3c46b7d0fa6492bf3557cfe619627bfe8ac1bf5262ccefeac4eb179

SHA512
55a31e3116441b55607e38252610cf8db7b54d68b9953d1f2fea229d54a5912a2d6ca4ea3211dd89df37231bde87c5bfc9c96e1db8f6be9a062dd7adf7ac14e2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
19c85f2eea2ea1f59c9af20bb904ed77

SHA1
304a85f8b77aa32b8349ed8241f57a8951e64ccc

SHA256
eb55527b323f50fe4564a6411b45c371539042d52bcba9f86b053f4028d06a19

SHA512
39bc4281de9ac7c774d619e817bf03c6f2826f6e02def8f688a2f468270fe68c710cdba56c2b067def6814c59b8b413147af841646ab074cd7c1d9b720a437ee

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
564af7dfc1385613d4aff2dd30c54057

SHA1
a430602cf9a1217a3380c9f8f0b0470e1f8830c6

SHA256
dbac6d1cf3cfc48431523871f50ca4239bdc9941c26518f5f94c1754f8b8e53d

SHA512
421ae1b01ff7e1c7e9a88526dee1f8b81b3245a30366b126a5c556f3ee8a0ca8fe90bbefb7ede7f84fe0cd95230d2ac34a580089bb950125356fb24e1ea8121d

Download Submit