neconyd | d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 03:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
Size

65KB
MD5

094d56d2da3041bb8815811ce7b5214e
SHA1

ebaf98345d06ec97eb65029233e937f8582613b2
SHA256

d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0
SHA512

8e9e16948a84aec3539f3a249c27c6376c3e91fb85464417747c07eaa533b1c8e23eea2493400800d1adb15a69c8b730d9637714d1209b7bc23b6aa7f58a24ea
SSDEEP

1536:Bd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:xdseIO+EZEyFjEOFqTiQmRHz

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2232	omsecor.exe
2868	omsecor.exe
4592	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 2232	4944	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe	83
PID 4944 wrote to memory of 2232	4944	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe	83
PID 4944 wrote to memory of 2232	4944	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe	83
PID 2232 wrote to memory of 2868	2232	omsecor.exe	101
PID 2232 wrote to memory of 2868	2232	omsecor.exe	101
PID 2232 wrote to memory of 2868	2232	omsecor.exe	101
PID 2868 wrote to memory of 4592	2868	omsecor.exe	102
PID 2868 wrote to memory of 4592	2868	omsecor.exe	102
PID 2868 wrote to memory of 4592	2868	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
"C:\Users\Admin\AppData\Local\Temp\d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
c3be1804bd02139b591649a92eddc539

SHA1
47b502699fe9c9a4b6dabe12b4957847a6f08009

SHA256
c11a35fd646709805098737e4083f46101d0c1aa238549fa18af88a4d3458291

SHA512
e42b6b53465cadcc3f42783536e2b40b6929d2b937da9a87856a179ab5f74db55492d2ca427dbf54630e77d48d3cf80639fc39e316d0f32f95209bcf4cf3c97b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
359a3222942fd7f53acf78503cd3595b

SHA1
9645d8586e7c5311489e28c89e31b3d26f41c5af

SHA256
1fb9d9767490839b3308779d69178300d305ea19caff320c8eabbc2a1dfafc19

SHA512
76b057054cd15a7a8b8ef1f3dd942a95a0b9a79cc0bc1b60dfbbb22334d5f2c0726b1bb55d6fadd67c74b6d65d21830d0a222d82e019023a94ea5b9aa3341432

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
a4fecf9ecf1dbb1d6faacc8322c0b674

SHA1
f95168d584377743c17720a4e65180aa81748172

SHA256
e599bc1d7ce84a7af71810603e76d15d26082f58fb01587e1864e12e484c5f3d

SHA512
c82cb24b29bf75f8c09a9b887b6544581424b1bae0e09a51520697bafc6aacb71a8e76fc0535a30290052ff8d5997c39bd8a0f24d34b862131e108167c97855c

Download Submit
memory/2232-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2868-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2868-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4592-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4592-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4944-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4944-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download