neconyd | 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6d

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
Size

89KB
MD5

8f079325c4c70893a16e983d451acb70
SHA1

3c4b83e47fa93b02f0bf42c04a0251a4da6c23b1
SHA256

665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6d
SHA512

4f7a00d16710af3216e7a9e953e33b8ce280cf0d09a8769d9f78801d36c46bfd488e348e67c9bee4217a43d87e5c62dcdf859706356a3043bc0e84a12a7a5a22
SSDEEP

768:JMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA/:JbIvYvZEyFKF6N4yS+AQmZTl/53

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4928	omsecor.exe
2836	omsecor.exe
1752	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4928	396	665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe	83
PID 396 wrote to memory of 4928	396	665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe	83
PID 396 wrote to memory of 4928	396	665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe	83
PID 4928 wrote to memory of 2836	4928	omsecor.exe	99
PID 4928 wrote to memory of 2836	4928	omsecor.exe	99
PID 4928 wrote to memory of 2836	4928	omsecor.exe	99
PID 2836 wrote to memory of 1752	2836	omsecor.exe	100
PID 2836 wrote to memory of 1752	2836	omsecor.exe	100
PID 2836 wrote to memory of 1752	2836	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
"C:\Users\Admin\AppData\Local\Temp\665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
404d9d59a0e9fb188bc32ec44243c3f7

SHA1
60f784f4ba8bfbfe5e736459c6090aea308b5d2e

SHA256
f93668a4e871a1e7025889c02fedb2f5584845c9e79aec5619943e9283747349

SHA512
dacb3626be87587c22255d68d4dc22f2aaa95458b434103c252edac8e191e8ba6faac80ae734ef3946147fddac1ad0acd4bea5876692ff883ee6eb329b57d230

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
36335d6d208518e28f1af8e4a063ff57

SHA1
957f080cd7cfe3e478b854056546f607b51fab75

SHA256
20c85413f71fda26627686a43e67748498ae2d403b8d79efb501af7977d954cc

SHA512
1ed06a264140956e3638d75c9a77c32f2d73b3cbde8ec0996102ead4a6adeb0dfda9a095caeacf91c22e17d79d68661106c22e46ac7369572fca7971e0cf5ade

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
6ab91b57f2873ffa753a1f276bd346d6

SHA1
8ebc7ec7fec001f05e1b51ba5a7951f3462de36b

SHA256
c7a769c450fda034e4fe7a0c83c62fc391ea6c5db12c39cc4c3af4e3f7ea22e5

SHA512
0f1dd8e48a7a4f9aceb4cd2286098e219fe755290e78faaf09fdc3c39dd8d5db96e9e9e33196eeffc3c53e57f6210f0a856cd6cb80515b637040c9acaa15a95a

Download Submit