neconyd | f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
Size

89KB
MD5

ba2d45f4f924dd7d4cfe2157134938c5
SHA1

eb14ea5f387dfb8e580035b6f1b9d1622feaea60
SHA256

f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990
SHA512

65ee7d3abb9da0489e47e89d0d6724b7fc5ea0937d1863fa6f111013a22294b1176ab4b371fc95db539f45cadf43e69c9a1c6a47a246268a356e8e70d641283c
SSDEEP

768:rMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:rbIvYvZEyFKF6N4yS+AQmZTl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
5024	omsecor.exe
3228	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 5024	1932	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	85
PID 1932 wrote to memory of 5024	1932	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	85
PID 1932 wrote to memory of 5024	1932	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	85
PID 5024 wrote to memory of 3228	5024	omsecor.exe	102
PID 5024 wrote to memory of 3228	5024	omsecor.exe	102
PID 5024 wrote to memory of 3228	5024	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
"C:\Users\Admin\AppData\Local\Temp\f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
1c142ced09d9ee8d8a2ca5b89d3d2694

SHA1
30b22461f2e030abe0d4f17c4cbb8168a1d852ce

SHA256
d011ec79d50ab9f0881bd5f83b9e802360eab0b6855057728a0a1a3a4abbe68d

SHA512
f32ee5b947b386b31d624be1f97c4d1ebfc3875db715f0f0f38dac3a2f7064875a12bffda4f892189137674291330dd450b0ff41b5115fd0e0e5b19ad6afee51

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
5c1280bb73ff9f7ad7cc3400c5d82c02

SHA1
c5de650aa0953cdd524ee113d6eb2aa9a7a17eba

SHA256
30d1424aea4e85a1006d1922afd9963b76d830b107feac55c3de226118c547f4

SHA512
185e46784c7d776f4997721ab2f0fa34ff1efc4388b364918e1d5b8a177bb3a0a3a35ef6c97910344b518260d412ef1d930f61b20aad3325b8fa14138a10728a

Download Submit