neconyd | 0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3

Analysis

max time kernel
83s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe
Size

71KB
MD5

14609222ad04fd8fcf5d5c9107ee25e0
SHA1

15f317f2e29c854d53b281f4aa6b2af3e0627352
SHA256

0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3
SHA512

76f754cf0d2ed9f3013a81c8ad8189dca0f13955310c0f9cb1a68c656ddb7fb247914a9d2aa10e989c503c2ae658759830ff28bc8765d15a3853cfd5f1138aae
SSDEEP

1536:Rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:hdseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
592	omsecor.exe
3140	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 592	4592	0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe	84
PID 4592 wrote to memory of 592	4592	0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe	84
PID 4592 wrote to memory of 592	4592	0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe	84
PID 592 wrote to memory of 3140	592	omsecor.exe	94
PID 592 wrote to memory of 3140	592	omsecor.exe	94
PID 592 wrote to memory of 3140	592	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe
"C:\Users\Admin\AppData\Local\Temp\0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
dda13a3546a19d197c533f738d1829fb

SHA1
20c33645a31f97a18aa86b8bd439984a39140053

SHA256
f78f71b44c00b965ee8ed3c4f169d7b76e69835ec6343231fd4a0ebab969686b

SHA512
2f0590082529492fe3e0ce3485cd8bf29bf0143966f3fa16727828181a82958ad03a2b8bb33c6942c6eea79d871aee939d5515585f272397dc12fb7328340935

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
213acd07bc57dce18e9380154f56840e

SHA1
6d730eef22ef11912ebacc60afef4c7171820fe5

SHA256
1174a56bc711ccc350196eb1d8827254cf50a18157ddee4e5b42e30d61ca1c4a

SHA512
7fe0d557c0420a854ebf557f2d22f563eea3f341b8c1b9435d8641890d1b9dcf74866572e21ad15c0a198d53e20ddc1df32d5aa8de60dbc0f0053f57bffa543e

Download Submit
memory/592-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/592-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/592-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3140-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3140-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4592-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4592-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download