neconyd | 394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe
Size

64KB
MD5

65c8c108cff057c548c5ea19921c79aa
SHA1

d4e7d46ccb3dbb4e9b140c821f369bef52d74915
SHA256

394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe
SHA512

7a00b940b5b92c3ac7b0d2b77d90ff6f4899932021642dda35e219076af6131645457f8ab04f02fde6b22d056e593bc7434ffad96c7762ab61354a527af6ad26
SSDEEP

768:PMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAN:PbIvYvZEyFKF6N4yS+AQmZcl/51

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4464	omsecor.exe
2488	omsecor.exe
5084	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 4464	2988	394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe	83
PID 2988 wrote to memory of 4464	2988	394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe	83
PID 2988 wrote to memory of 4464	2988	394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe	83
PID 4464 wrote to memory of 2488	4464	omsecor.exe	101
PID 4464 wrote to memory of 2488	4464	omsecor.exe	101
PID 4464 wrote to memory of 2488	4464	omsecor.exe	101
PID 2488 wrote to memory of 5084	2488	omsecor.exe	102
PID 2488 wrote to memory of 5084	2488	omsecor.exe	102
PID 2488 wrote to memory of 5084	2488	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe
"C:\Users\Admin\AppData\Local\Temp\394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
8beb0f83b2deddb130b82dc45d9a332f

SHA1
b9bec03c3d6c31eb97024cba4dccdca6439b960c

SHA256
4643bd70655f23c954bf89681b0b5f9e8240769b04c78bdf5d568837d12ac2d0

SHA512
4dc8db70e8867101e827abde1dcc9b84ebcf9d96ca7c37857311baf528aa13d15277236301227766acc4a3f62fb7d63bcfd387e72fe383da60e2897d9bf0b403

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
b73f84bfd72b85df89118d8da28d260f

SHA1
0e10220bef101c8eb73e564e372ecf77f2575fdc

SHA256
cd208472ed917630ab84f2a299440b47e47641c22658fb008213efdaf3e39a31

SHA512
cd354c3825d2d99443f1d1443749b42612c93d03c67d800c56a692090555967dc0831b7d75e95882f4a9f5d60a45cac51696725af3ddc0da9b215624ad06fa47

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
8fb5737a45192cef9c86d6163a6adc15

SHA1
1fb99816ea452f0a3501d4f020262cb447fb9eb5

SHA256
147c957670cbe40dcfda5f90ec3070ab77d962e9f32b0f53d69149d93343dd18

SHA512
49dd1b4dfde0c8289f1ed7b4a52dae51cd175f0a020f5fb76485fec06bdd3793161234919d2cd12462b294033a7380300d3369b331690d19891b749c0d35be04

Download Submit