neconyd | 7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe
Size

76KB
MD5

ec8cb84b2c65d0f127c29133297ec8c7
SHA1

8fe58ed34a15f30bfa351d1ea6bf01c7cb929496
SHA256

7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44
SHA512

796e0ebdd0a7488f5bff830a8bf7347feb2497d3d7f1593b65fd6f98343ea3b5c461bccf3dc039e7f9c0a60d28b9aeef2184a85c5852b37892b091821789bba5
SSDEEP

768:xMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:xbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1608	omsecor.exe
4960	omsecor.exe
864	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 1608	716	7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe	83
PID 716 wrote to memory of 1608	716	7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe	83
PID 716 wrote to memory of 1608	716	7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe	83
PID 1608 wrote to memory of 4960	1608	omsecor.exe	100
PID 1608 wrote to memory of 4960	1608	omsecor.exe	100
PID 1608 wrote to memory of 4960	1608	omsecor.exe	100
PID 4960 wrote to memory of 864	4960	omsecor.exe	101
PID 4960 wrote to memory of 864	4960	omsecor.exe	101
PID 4960 wrote to memory of 864	4960	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe
"C:\Users\Admin\AppData\Local\Temp\7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:716
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
1413ff2232be960e0a952939ffd56d50

SHA1
3e15e41e423c20fecf79d87e420150238a29159c

SHA256
9d6bbe17f5488de03f4e2a0ebc929c6f7aef890a17f529219152cc3658cad48c

SHA512
f734a8e7966c295ba17a2ccc8c851fdaabd61c601627757b33db999f1fbbe1bd75d2b64856eb1ea249e6c8be9226fc4ff2e6f612af96878667dd6fec89baefe2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
55619170e69d92853a6121a63b0783f2

SHA1
92e2dd41a5f985e1def9f5b42df4a403d0fbddf1

SHA256
f81136835ed8be933f843ef5a22f7d9f3d3c9c890da4f26e4e731d04abae3872

SHA512
877c9ab7806aa1ff68c8bc56a1c327ffde11702821077b75129c9e6dc5eea873fa0340de577f35f6f809c040b5714b8eb69bf5e06b60430a5d6d7627de363357

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
0aaf16bc4b54a627211fdc63ec3dd132

SHA1
f3674e7309e1ad69efd2a67115293799dc608521

SHA256
5936345f63a4e14a1ba61f9f4b5154b772b0aad8ae6ce00d483c310908303fbe

SHA512
e6c1afd2d16f18884a5448488c9fc8a89b51e987e1d3c31bf0a1d7b85d3983db214726d42ea7f9bf6ef293d301f979ab2e37723d7cee9d527b5bd456c58ec4e0

Download Submit