neconyd | 4bc709172ebb1582a8ab25339891d45c3130abf98a6d54f0d7eb085f4c739b35

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bc709172ebb1582a8ab25339891d45c3130abf98a6d54f0d7eb085f4c739b35N.exe
Size

72KB
MD5

0c3cd0b70f7e5be5317106daf79ee2d0
SHA1

ef2db927ed0fd8e4eaa498c5abc28cc50e2eed22
SHA256

4bc709172ebb1582a8ab25339891d45c3130abf98a6d54f0d7eb085f4c739b35
SHA512

1b7befe58e91e9b7f4a4f978fb2d7d87cf5d392993c6d0fc83ee9a03e7ee7a9d819368ca4a3bf456fda61e1fa89aaeb60ee6a5bdf96508251c988dbfd9a693aa
SSDEEP

1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/52119:TdseIOMEZEyFjEOFqTiQm5l/52119

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4904	omsecor.exe
4888	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4bc709172ebb1582a8ab25339891d45c3130abf98a6d54f0d7eb085f4c739b35N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 4904	1460	4bc709172ebb1582a8ab25339891d45c3130abf98a6d54f0d7eb085f4c739b35N.exe	83
PID 1460 wrote to memory of 4904	1460	4bc709172ebb1582a8ab25339891d45c3130abf98a6d54f0d7eb085f4c739b35N.exe	83
PID 1460 wrote to memory of 4904	1460	4bc709172ebb1582a8ab25339891d45c3130abf98a6d54f0d7eb085f4c739b35N.exe	83
PID 4904 wrote to memory of 4888	4904	omsecor.exe	100
PID 4904 wrote to memory of 4888	4904	omsecor.exe	100
PID 4904 wrote to memory of 4888	4904	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\4bc709172ebb1582a8ab25339891d45c3130abf98a6d54f0d7eb085f4c739b35N.exe
"C:\Users\Admin\AppData\Local\Temp\4bc709172ebb1582a8ab25339891d45c3130abf98a6d54f0d7eb085f4c739b35N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
2c9aa37be67030a5e66c216491a37621

SHA1
a9952c093b667d8b651ede7fe3fc74aa9fbb5ca4

SHA256
f39ec091a4d5b6d64a31161e1bc3c44846a4a4627bc39f1f3987468ea1800d99

SHA512
725d290a5878b2d8f20979751bfa1c132c953ee41cddd90fba56926f3995933f6c75f1260dff4b8a89d642af75721440a3f8b2c3d7921fa1d93e13f12ef1251a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
890952ab9e6e5cc2014b21995e90e777

SHA1
38738b47a476dd3b498b816463faca49656cb185

SHA256
f84e2226666d340e42f92a8c4692ded66f5dabc134f0ad7467749c423bd2cc85

SHA512
d4657003b76787afb707760a3bba335536ff83b84beccd48161d7240967bb43280683ce2481e1aee5f9ab8a6570be536099f58415c5678099847d298675638a0

Download Submit