neconyd | 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5c

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
Size

71KB
MD5

3958deddaef3fe3737c2a7566c3f3800
SHA1

051a7a844e9bf717ee161af71333a78115aac3b8
SHA256

5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5c
SHA512

29c580730edeebabf5b0c49abc058c64b1d2d1fe21f285d0cff4f07c49a43e2efbd0629c89a9a2742f3a16fa1a69cb882605e6e25fbe0f93e6352918d087657f
SSDEEP

1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:4dseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1816	omsecor.exe
4496	omsecor.exe
2556	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 1816	4712	5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe	83
PID 4712 wrote to memory of 1816	4712	5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe	83
PID 4712 wrote to memory of 1816	4712	5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe	83
PID 1816 wrote to memory of 4496	1816	omsecor.exe	93
PID 1816 wrote to memory of 4496	1816	omsecor.exe	93
PID 1816 wrote to memory of 4496	1816	omsecor.exe	93
PID 4496 wrote to memory of 2556	4496	omsecor.exe	94
PID 4496 wrote to memory of 2556	4496	omsecor.exe	94
PID 4496 wrote to memory of 2556	4496	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
"C:\Users\Admin\AppData\Local\Temp\5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
ba125ca26d2964c6c6e9d2ceaeefab4f

SHA1
1aa33ad4f794a6684f3ed994a2437c946a847ee7

SHA256
4716a9a047a9ffde52bcec4083314b4dee66510621dcf0c66dd29383754ee0df

SHA512
5cd5458b7c77f15fd336f5cf0da2cfa6fab835bbbf2c32b13b0de76da56cb6aad4f9aa8d305a21b811bdfd562d5baedd8765047baadbf697e3d29b318e2f5836

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
14609222ad04fd8fcf5d5c9107ee25e0

SHA1
15f317f2e29c854d53b281f4aa6b2af3e0627352

SHA256
0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3

SHA512
76f754cf0d2ed9f3013a81c8ad8189dca0f13955310c0f9cb1a68c656ddb7fb247914a9d2aa10e989c503c2ae658759830ff28bc8765d15a3853cfd5f1138aae

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
0060752bc4b2ed2ddb58f8894a43d564

SHA1
67b4b4c96209c75d9bbdaa8b44e534356a173c7a

SHA256
5c2fe80c5b4643366539b50d97297203b725631578dc2a64e3698afa2e312e9f

SHA512
6e786ace52844c410c4a6b777b8cddaa728e24e94f00be266d2dde90c5de88d021d7d3f0b3eca2ebb7cd4c198122a113a7bad615058536e6283b29585daaadd0

Download Submit
memory/1816-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1816-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1816-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2556-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2556-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4496-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4496-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4712-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4712-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download