neconyd | c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe
Size

76KB
MD5

19fb34656367c228177bb9756f05b542
SHA1

9cd65ca143beeae72523cc52290dc836c9f3ae8f
SHA256

c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8
SHA512

8a732549841a29b995b1f9933058d7e1f9d2db59e4a37a0511b1c8d7d0c9348f84c0c444e744734ce1738f57caea40002e441af345d829c21888e18d08904a38
SSDEEP

768:VMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:VbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1360	omsecor.exe
1816	omsecor.exe
5068	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 1360	4560	c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe	82
PID 4560 wrote to memory of 1360	4560	c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe	82
PID 4560 wrote to memory of 1360	4560	c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe	82
PID 1360 wrote to memory of 1816	1360	omsecor.exe	92
PID 1360 wrote to memory of 1816	1360	omsecor.exe	92
PID 1360 wrote to memory of 1816	1360	omsecor.exe	92
PID 1816 wrote to memory of 5068	1816	omsecor.exe	93
PID 1816 wrote to memory of 5068	1816	omsecor.exe	93
PID 1816 wrote to memory of 5068	1816	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe
"C:\Users\Admin\AppData\Local\Temp\c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
c08461106c2ae2ef5a16789dbc8dbfc1

SHA1
81a76f70e91150ef33aa8341d813180d9589c21f

SHA256
cd89ed203910f362a95902920b309ddfbda9be554cd06f657e5bd906ed4f04e9

SHA512
1e47069061a2c4f530c207fda0b8df41301571027b2e61b55f941e17a7e30d911876856a1b986d3eced6fe7ba89e86fec7372a457aed2aef0c7ed3fb56ff3e21

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
af9faf37b3fb1227c55192a00dd407e1

SHA1
7a051f67decb195dbb0f0e2ca98c404160180d66

SHA256
69780a2586abadfa7c6d1fd65cab655f50f59842fbe34cf35ee3f06d5b4d2d96

SHA512
bd85c5ce9cce6a923660fcbed78842b89c2c45926ef08abf74cfd5ba4d0359f2ee8757925303d700b498df2374aee4fd6643276844470409d4ee02df83b90752

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
4c67a3219f90f692ef67ea95dadd76ac

SHA1
776dfe46b8f6e8361e4e98da916292fde4f9be36

SHA256
4d4ee3fce2a36551c78c6ca9eaf29e9f224d8ec145fe1a58cd77cdeed2fc37ff

SHA512
28803ada3d7c1d52a970433a21830d2e8c98395073dcfea1e24849a9a0514967e42a2664d4cebe3342978eb3eb45e18dd71a8e259a3eb0484bfe048d111faac9

Download Submit