neconyd | f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
Size

89KB
MD5

ba2d45f4f924dd7d4cfe2157134938c5
SHA1

eb14ea5f387dfb8e580035b6f1b9d1622feaea60
SHA256

f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990
SHA512

65ee7d3abb9da0489e47e89d0d6724b7fc5ea0937d1863fa6f111013a22294b1176ab4b371fc95db539f45cadf43e69c9a1c6a47a246268a356e8e70d641283c
SSDEEP

768:rMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:rbIvYvZEyFKF6N4yS+AQmZTl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3140	omsecor.exe
540	omsecor.exe
2200	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 3140	1576	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	83
PID 1576 wrote to memory of 3140	1576	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	83
PID 1576 wrote to memory of 3140	1576	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	83
PID 3140 wrote to memory of 540	3140	omsecor.exe	100
PID 3140 wrote to memory of 540	3140	omsecor.exe	100
PID 3140 wrote to memory of 540	3140	omsecor.exe	100
PID 540 wrote to memory of 2200	540	omsecor.exe	101
PID 540 wrote to memory of 2200	540	omsecor.exe	101
PID 540 wrote to memory of 2200	540	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
"C:\Users\Admin\AppData\Local\Temp\f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
daa102ce73284faaeb305ae844180250

SHA1
6b1b61f848cbc05b2b73f2a22ff902442975581a

SHA256
50c4b155b92ecdbf29c920678abce16d283440d651c6224881ce12d1222fb274

SHA512
432895e98117b28c58b0221ac7d1d8e028503e7043c8b69b17b101625fe67f0c6ab2f297d23a3f33032d304696f14375067a2fde2786da133d8289277a5de11d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
1c142ced09d9ee8d8a2ca5b89d3d2694

SHA1
30b22461f2e030abe0d4f17c4cbb8168a1d852ce

SHA256
d011ec79d50ab9f0881bd5f83b9e802360eab0b6855057728a0a1a3a4abbe68d

SHA512
f32ee5b947b386b31d624be1f97c4d1ebfc3875db715f0f0f38dac3a2f7064875a12bffda4f892189137674291330dd450b0ff41b5115fd0e0e5b19ad6afee51

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
10e32e75eafd3749ecf0773d08d19131

SHA1
8818d990a60b352b9c1c361c5811e8ac1ebd7345

SHA256
8a6a0ba4985c0fe449e799f460ac76fd17d539964682bae69a562256d9f38649

SHA512
18c3623a7d687d85fe8b6ed309d6d79be08e9db48493ec275a0f163ad144a81018b210a4a195539a05342fcfd98a3416ed43f56573e3da92a6eb5052b926a87b

Download Submit