neconyd | 339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe
Size

33KB
MD5

cc78612706f777dd9cbe41e98b11f15b
SHA1

784736d5e0f78f8de86e718d684dd9ff5e64e0cb
SHA256

339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247
SHA512

4ab445cacfa69b92b2a7ecf9ff3007f934aa40649113cdc3dbcc435ac39ebc384c98cbf4c5bdf895e44a12a921e30973dd55d7f35ffda5bb12eb53c24ccbc150
SSDEEP

768:UfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:UfVRztyHo8QNHTk0qE5fslvN/956q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
1960	omsecor.exe
3088	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1960	4060	339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe	83
PID 4060 wrote to memory of 1960	4060	339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe	83
PID 4060 wrote to memory of 1960	4060	339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe	83
PID 1960 wrote to memory of 3088	1960	omsecor.exe	101
PID 1960 wrote to memory of 3088	1960	omsecor.exe	101
PID 1960 wrote to memory of 3088	1960	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe
"C:\Users\Admin\AppData\Local\Temp\339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
ebbf5c33067cb11bf3aa3c339191e626

SHA1
4955facaf7a98cfdb909d553644f16b820414691

SHA256
a7b2ce28b3d47705c29d9bc00e154bd7243935e95d45834b2116082bfca56171

SHA512
0e9663956f6a9b9b85880bbe31413fab8c7aa6647a1f70e2f92745822b52feb1e9bf9234956b64e38ecd78dbca526c3b9fbc0ab68726faf61db71b10033896fa

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
0b388b64faf11c1c487e56a2352d8c41

SHA1
57fff73499143bc67edd501c20fa0182c8bc5654

SHA256
56662ab820b3e2fc448003c358e3d5cff948fc9d126a9196003d79f628e59461

SHA512
4c2ecef2955de7ffb044be395e5ee630f8f8fa72fc62af4bb339effe78778b1225ad665a4decdc3dcb5aa350d30ebc660ccfc9ad156dfa357d1f03009b5efc98

Download Submit
memory/1960-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1960-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1960-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1960-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1960-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1960-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3088-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3088-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3088-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4060-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4060-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download