neconyd | d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a

Analysis

max time kernel
114s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2024, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe
Size

92KB
MD5

4e4dbc0d7fa4ec586b9c1ec635942faf
SHA1

7977b5c48cb725afa4d7bea9b9bdc0d182c8299f
SHA256

d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a
SHA512

08533947db74605344113ebf8ea7f160bf59de80a2f4d12df382495d53f70b0c0e44b87e512c5d433b8c30aed35d4da149808306372cd2bb8325c15812d70121
SSDEEP

1536:sd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5V:UdseIOyEZEyFjEOFqTiQm5l/5V

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1724	omsecor.exe
4868	omsecor.exe
4116	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 1724	2560	d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe	82
PID 2560 wrote to memory of 1724	2560	d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe	82
PID 2560 wrote to memory of 1724	2560	d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe	82
PID 1724 wrote to memory of 4868	1724	omsecor.exe	92
PID 1724 wrote to memory of 4868	1724	omsecor.exe	92
PID 1724 wrote to memory of 4868	1724	omsecor.exe	92
PID 4868 wrote to memory of 4116	4868	omsecor.exe	93
PID 4868 wrote to memory of 4116	4868	omsecor.exe	93
PID 4868 wrote to memory of 4116	4868	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe
"C:\Users\Admin\AppData\Local\Temp\d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
4f9a20f19fd6a06b7e007f4c87a02b98

SHA1
aa6fd84b205fb4ea7380ac8098d965226a40efe1

SHA256
af76a3d1e1ea5a3eb2c48cf44424cb6be18972b9715d30761b0916c44dbac69a

SHA512
c57433e518efc03bc17323d22d8141a8a283a75bff44917268ba33842662a25c87a4fe4b5e0d7fbc0a2386afc5cd970bcb17928e29a1e021b38eb6aa679af40c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
2311f2c6b6485ec165f981a713d5cc06

SHA1
a1b028caf711dee1fd21c0b31f372549b88ea0e0

SHA256
bb8b9780732ff626c5a94f4a34c32dfc28f8503594a768df7ed937aa7dbd104e

SHA512
ceb18eced48411ba052a5215032caa6c988247b4ef71c1a183272dfe7bd725e5de73b8c98256c17df9ef40ec5d6709104e0ae456a129f52699d7986d410f0074

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
a924d460b85ca51c0698de74a8283763

SHA1
598cf73820e86fac7bfab51ddc4d86f118ae3c71

SHA256
80ce2a1ef9e3de89acd34525f35d293ef47bee916595498de9971144d4f09576

SHA512
430df855eea3c4bde6e63fb4c80c0e9f6ced2858728997105590b7ed8c30730505e5c1fab9427944b207f3213364d72186e6ec39be2654ffa3be98299efc18d9

Download Submit
memory/1724-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1724-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1724-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2560-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2560-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4116-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4116-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4868-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4868-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download