neconyd | 24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe
Size

80KB
MD5

8ea42c95d5a331082f6de4476a708f11
SHA1

dd49cfc7487f67f3ea275e14166608b2f666cabe
SHA256

24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a
SHA512

984455b357ec27b20d0ce4a1fd1a6337034f6a5f821ac0059f80828172293ed7c48f66bf782352efb466f5e8bb4dcea8f97af4eaea499e7d77a2ac3737540be2
SSDEEP

768:efMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAe:efbIvYvZEyFKF6N4yS+AQmZTl/5W

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
736	omsecor.exe
4988	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 736	3764	24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe	83
PID 3764 wrote to memory of 736	3764	24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe	83
PID 3764 wrote to memory of 736	3764	24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe	83
PID 736 wrote to memory of 4988	736	omsecor.exe	101
PID 736 wrote to memory of 4988	736	omsecor.exe	101
PID 736 wrote to memory of 4988	736	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe
"C:\Users\Admin\AppData\Local\Temp\24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
2df6edad94978c41878af0dccb8c506a

SHA1
6e3a0a640d3807b40ebe728eef7db14d303183ab

SHA256
9213e2ee65d59499e435df8e8484ef37cdc12f6e65409071f49a54fa2d172870

SHA512
b099c1ea95488677e00f00e61137c54ddb0e42e1d27ff84e4e8d51234c57af6041e73c74b098a627f61521d09309710f12c6eef40a99f94af7fade7b7ee6a2bc

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
ea069a376cf94456603204a3b29a2e3c

SHA1
3d2f7b2e8d5db98557a617a98a5b167867248700

SHA256
1bae9071bd6ddf529df57522b869603c13d47a2e175748c3a4c665e929b3770e

SHA512
f0899797ea52d1871fe7879de2ae3a3aad2eaedfa5350b6144fd904803aa0b7512f91051c03f84148be19858332b76f6a2be57de62dfde351b9209bf3dd9e382

Download Submit