neconyd | 6edf465105aaf58ce398d7072e25d8329469469970596a076b12bccf7c1eba98

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2024, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6edf465105aaf58ce398d7072e25d8329469469970596a076b12bccf7c1eba98.exe
Size

80KB
MD5

de95f56d652d6d483f6d2c86b5d585d4
SHA1

bbb0630319bbc561b9bb85f40feec39957a10dac
SHA256

6edf465105aaf58ce398d7072e25d8329469469970596a076b12bccf7c1eba98
SHA512

24ce35bdbbdb323ef8403db13ed92d43d4ad25bdc80ce5570b3046bf41edefb99c8061714f63153cf959deb899daddd59d65a13e5c1298ca257a8100eea521df
SSDEEP

1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzx:4dseIOMEZEyFjEOFqTiQmOl/5xPvwd

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4848	omsecor.exe
1716	omsecor.exe
4600	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6edf465105aaf58ce398d7072e25d8329469469970596a076b12bccf7c1eba98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 4848	3716	6edf465105aaf58ce398d7072e25d8329469469970596a076b12bccf7c1eba98.exe	83
PID 3716 wrote to memory of 4848	3716	6edf465105aaf58ce398d7072e25d8329469469970596a076b12bccf7c1eba98.exe	83
PID 3716 wrote to memory of 4848	3716	6edf465105aaf58ce398d7072e25d8329469469970596a076b12bccf7c1eba98.exe	83
PID 4848 wrote to memory of 1716	4848	omsecor.exe	100
PID 4848 wrote to memory of 1716	4848	omsecor.exe	100
PID 4848 wrote to memory of 1716	4848	omsecor.exe	100
PID 1716 wrote to memory of 4600	1716	omsecor.exe	101
PID 1716 wrote to memory of 4600	1716	omsecor.exe	101
PID 1716 wrote to memory of 4600	1716	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\6edf465105aaf58ce398d7072e25d8329469469970596a076b12bccf7c1eba98.exe
"C:\Users\Admin\AppData\Local\Temp\6edf465105aaf58ce398d7072e25d8329469469970596a076b12bccf7c1eba98.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
90f970d06987a346d26b02ed6c74815c

SHA1
8d78087fd6ebe439b552505400600a34c5777b95

SHA256
ffbdfab572ba38021a574837077e0eb6c2c69118255a8251c354ba5034ec17a5

SHA512
8efc85c9e4309eb9404084db520d6564c5042d980b796e0335921295702a6218057f249e6054cde8ab5a256ace4617f60387deafe94c578398fc7582c9bc60cd

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
03be010ef5cb0587a786725364168a44

SHA1
8f029fccde27c604f1e41538fff1e3edaee8f42e

SHA256
e0421e9086c04d3e83b998a4b5653a4c71099d3ed688525599bdc6ee49dbdde7

SHA512
e85972d4d42eecf3770eff8413141b29003e0a723c88266de4a6a13f1137e8f87c3834f7599d9380dc8e88dd070a1f62a15ba1890152c318f7f308d6d67e9d12

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
0f84a285da1addd14a52529fb358d829

SHA1
48c52da47ec05feaf776c496fe3ecfa818cb2d2d

SHA256
9398c1da2ba52cb1f08b72ee6e030e346bff0d984d23f30916188407ed8e0012

SHA512
7f576b4f9d357996cab473f644ef66b6aa7af2a478799d8331609f02d90b805771c6ada763706a731cf14a50b13cfed789fccd6d4e443268123c793f54823afa

Download Submit