neconyd | 8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
Size

88KB
MD5

3aec4f04e9758e3fbb80b9f774907185
SHA1

13ba3a484de505ebe27e7fdfdce5f9c36451288b
SHA256

8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28
SHA512

2ddca3cd6e9af6d0bf7e9a718107191aefa3e13088f5b243c396033efcdf4331912f6c31a3f37fef87faa053a0df4adc4d5e04aac3b176b39b4d6a967dd52c32
SSDEEP

1536:md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5r:edseIOMEZEyFjEOFqTiQm5l/5r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
1968	omsecor.exe
3736	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 1968	4204	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe	82
PID 4204 wrote to memory of 1968	4204	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe	82
PID 4204 wrote to memory of 1968	4204	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe	82
PID 1968 wrote to memory of 3736	1968	omsecor.exe	92
PID 1968 wrote to memory of 3736	1968	omsecor.exe	92
PID 1968 wrote to memory of 3736	1968	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
"C:\Users\Admin\AppData\Local\Temp\8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
2a7b543e4d9d99723e4ed24394be9bb2

SHA1
b3dc39e31f102e7ab0383c4d319231acd3431abe

SHA256
b320cfb86fd1c6c9078f7df25ad456fa9b27ac8b519aabe868bb01549105e260

SHA512
77f50415515327ff5eedfbd24928274ff3bbe3c9e0ab9597f1aae77032071701396e21d488372b36384cc7f22b769a37708097e001b5ead3ead7860e4917e0cd

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
631164382ae316dc4e7bc01a9b030cc6

SHA1
c2f01251f297018faf824c0f30953db3e5ac8c96

SHA256
3538385067970b6e153cd12c83aa67b42295953a9163134adf91d8ac1da1aa88

SHA512
ed39e88830023c972a636aef408f0dd274514f745dc21890e958722ffafc1911eba2480d8b8fe0cb693a885af1a23a5b3c6d03e03999a62f1ce62e6b6ed2c908

Download Submit