neconyd | 8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
Size

65KB
MD5

ed316f4bc5b73500ba04a43da4fe8a68
SHA1

43be5deea5f422feb74555055185d40dd5f06b70
SHA256

8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c
SHA512

1544f38cd0fd69bf5af6ccc363cf0eaff45be269f030627e09b5669bae1ba7398339198148a9b693143513823c5300d93faef7c38c4cc64e05df724ffda55813
SSDEEP

1536:ad9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz3:6dseIO+EZEyFjEOFqTiQmRHz3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4432	omsecor.exe
1608	omsecor.exe
544	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 4432	2432	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	83
PID 2432 wrote to memory of 4432	2432	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	83
PID 2432 wrote to memory of 4432	2432	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	83
PID 4432 wrote to memory of 1608	4432	omsecor.exe	100
PID 4432 wrote to memory of 1608	4432	omsecor.exe	100
PID 4432 wrote to memory of 1608	4432	omsecor.exe	100
PID 1608 wrote to memory of 544	1608	omsecor.exe	101
PID 1608 wrote to memory of 544	1608	omsecor.exe	101
PID 1608 wrote to memory of 544	1608	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
"C:\Users\Admin\AppData\Local\Temp\8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
3fc3b17a756dc40f99042f5d67f0fc39

SHA1
1c7a4f881cfc10556bb23de3425fd67babf5b7de

SHA256
801abd656a635522030d83617bcc3b9820d865509bad6395bc143a07670b9279

SHA512
06ba3ffdebac4af6b93d84fce1a9c148ae7b27e0ea129293c2c373def097e21d277598c8e71d78cd4bddf3bdc012e75e15e210b531e0f6994dc1e35ca0877fd1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
7d3d7de3e2fa5cf93badcae0c31b55c7

SHA1
e78feff035fc2b6579ca56839aa1b1abff624b24

SHA256
9d07b8705d8b7779454f28657a1680e64aae24ed072bd78ebeae4d3da83a6e20

SHA512
ec0294fc2ab091f09e1c56b399dcea68305fbede06cc50aa8e0327ab06b6be1e805539e579ff90c2841a0d69e050ff62c30ee79a4d36bdd38cc0f58fe5d917e3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
e55d1960b9983d22d8c0f37387dee350

SHA1
96e26b31f48ae2723988c2e68d935787898c34eb

SHA256
aed744e8ba90657a2fbacf228991350f691c7c6ee1c7bd1b2f1ead3d28fd461d

SHA512
9666887635e791bacb6e3dd66dd82bff689fd2cf98d88ceea7d51e1e19d2129731c201288074a3ec041bf849d0a2bcc1dcb128d60c35e76768ca8f4617206801

Download Submit
memory/544-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/544-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1608-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1608-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2432-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2432-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4432-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4432-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4432-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download