neconyd | 8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
Size

65KB
MD5

ed316f4bc5b73500ba04a43da4fe8a68
SHA1

43be5deea5f422feb74555055185d40dd5f06b70
SHA256

8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c
SHA512

1544f38cd0fd69bf5af6ccc363cf0eaff45be269f030627e09b5669bae1ba7398339198148a9b693143513823c5300d93faef7c38c4cc64e05df724ffda55813
SSDEEP

1536:ad9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz3:6dseIO+EZEyFjEOFqTiQmRHz3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1860	omsecor.exe
4444	omsecor.exe
1920	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 1860	772	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	84
PID 772 wrote to memory of 1860	772	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	84
PID 772 wrote to memory of 1860	772	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	84
PID 1860 wrote to memory of 4444	1860	omsecor.exe	94
PID 1860 wrote to memory of 4444	1860	omsecor.exe	94
PID 1860 wrote to memory of 4444	1860	omsecor.exe	94
PID 4444 wrote to memory of 1920	4444	omsecor.exe	95
PID 4444 wrote to memory of 1920	4444	omsecor.exe	95
PID 4444 wrote to memory of 1920	4444	omsecor.exe	95

C:\Users\Admin\AppData\Local\Temp\8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
"C:\Users\Admin\AppData\Local\Temp\8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
0bca9b6d1163ececb5db4b6a9681af4d

SHA1
183df1e2f33658c77d730c488d03682be512d4be

SHA256
766309f6417343f622e993e28e5fd3432e10a160700f9712a984f62697eae666

SHA512
a105276c02d32a612079870ccf0c36597282981fa1dba1fede9e2c55ee638135ac7c424e39e8fc8aee61bf4c09e8d2bcaf51b49596a820886865550b5cdfef24

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
7d3d7de3e2fa5cf93badcae0c31b55c7

SHA1
e78feff035fc2b6579ca56839aa1b1abff624b24

SHA256
9d07b8705d8b7779454f28657a1680e64aae24ed072bd78ebeae4d3da83a6e20

SHA512
ec0294fc2ab091f09e1c56b399dcea68305fbede06cc50aa8e0327ab06b6be1e805539e579ff90c2841a0d69e050ff62c30ee79a4d36bdd38cc0f58fe5d917e3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
bf6479a159749ce9655d8f356aafe2be

SHA1
3969536260a865c1972c2044e39e8e40c2cc4ae1

SHA256
b9542a39a2cf46da4d86cfeea9d670b9a8b8c38722d0c3152582e4e29f4ac1d2

SHA512
cc70dec61b23caa2340e146a174f18bb7222b000a80d0f0abd2834ef4dd644d196f47d3f1f851b0fa3921fb3281f5deeba630b4d0c3f7551820e0be0f2ce850a

Download Submit
memory/772-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/772-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1860-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1860-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1860-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1920-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1920-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4444-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4444-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download