neconyd | 3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe
Size

64KB
MD5

7315bd306db38f11c658dd7a44ab4d20
SHA1

190af71367989fa1fe68dfd39a03941224b56725
SHA256

3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278
SHA512

2155faae92e7f323ec7124ae229e9eddf68653aeec6a55b27bb6715cf5fc88bd36e4418da10e2f11de66325adee3beee11fc08c2f3692d5f5f027f7e5e0f19ed
SSDEEP

768:hMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:hbIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4948	omsecor.exe
1608	omsecor.exe
380	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 4948	3716	3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe	83
PID 3716 wrote to memory of 4948	3716	3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe	83
PID 3716 wrote to memory of 4948	3716	3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe	83
PID 4948 wrote to memory of 1608	4948	omsecor.exe	101
PID 4948 wrote to memory of 1608	4948	omsecor.exe	101
PID 4948 wrote to memory of 1608	4948	omsecor.exe	101
PID 1608 wrote to memory of 380	1608	omsecor.exe	102
PID 1608 wrote to memory of 380	1608	omsecor.exe	102
PID 1608 wrote to memory of 380	1608	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe
"C:\Users\Admin\AppData\Local\Temp\3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
90019491058ae63d654d6f9865344edf

SHA1
0bab822aaf367b47bc0f9884d95b5042ee6a2c37

SHA256
9ef7a84468d19df7a7f1ad0b62018b9cfa011cee692a7843444b40a2cb5bf4a7

SHA512
9a7d1f2bfe94c7b8c43c1daebc1c529a75a136e8ac7956ea89e93a10c4b09d4eb22452a80abef9af25d4dded20ec597d23695bbb846c8e2d75646c6a3089956a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
a57a2867af56b43555c23df5e9ef4f54

SHA1
29540db21fe9247c0f7c994f17535cd8a37420d3

SHA256
f6b2a45729c8bcd6e5a8e39ef66504169ad13e1f3a86b9e1c80f5a1cb434154c

SHA512
ed3c2c5db482261b9b78ed26d0854f3de2758da921b6fbd0e90b07c22be58cdef59f7fc93bbb499ab33872a3bd9ef472e6bff28e39ac3bedbedda8c1862a6ce0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
2c26b16c876dda1ffe81b48d86cd9a00

SHA1
ad248e04366fc0ac45fd780f8da2c3641c88f0b6

SHA256
886eafcac03aaeaded84980c3e26867785c3c7784e212ac87b9e9c4f0cae678d

SHA512
a594bd8d65587a7fb7c8dfa878ad38d8c17f4d920c1f5793bb0d670441c2b07fc78e02ee09fb8fef68c9506ee6c66a354e31cb90250a743a40d3ac174b168376

Download Submit