neconyd | abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
Size

80KB
MD5

e18e24f356a8e8c63bf88dc297a899c4
SHA1

aa8aa79865cafe82a191a03dd1529fb3efa840a6
SHA256

abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4
SHA512

5ca22c975af625bb7cafae1976410233063e75b9ec21cfa5ec82855ffb39c9e1db83e789c8b5e7e24129ea3aacb8353da277829292c764611865acdb1b698c10
SSDEEP

1536:sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:UdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2224	omsecor.exe
5028	omsecor.exe
4440	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2224	2892	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	82
PID 2892 wrote to memory of 2224	2892	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	82
PID 2892 wrote to memory of 2224	2892	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	82
PID 2224 wrote to memory of 5028	2224	omsecor.exe	92
PID 2224 wrote to memory of 5028	2224	omsecor.exe	92
PID 2224 wrote to memory of 5028	2224	omsecor.exe	92
PID 5028 wrote to memory of 4440	5028	omsecor.exe	93
PID 5028 wrote to memory of 4440	5028	omsecor.exe	93
PID 5028 wrote to memory of 4440	5028	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
"C:\Users\Admin\AppData\Local\Temp\abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
2415e14c340e5f1fc5bf17cd48def97d

SHA1
f8a96d11b9a7ba4e11c79874de13c83560de8e53

SHA256
3da757820c4f878a0ed0c13d35239cb1d4032b3dadc84666ff8a63081e80ce17

SHA512
fa0c6f3a407cf41814ec2bf6bbf509d029cd374c1c800a98c24b60618af2606b140441dbfb7b43d945b477f6b06aa3ca84317387001e585d8e9c889ba9abeebe

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
c5b6a9b9748c845a0a90b1907243babb

SHA1
4255ca6ad793dce672631e9cb71fe65ab18f938b

SHA256
19a45e779ef49340cd281162b8f0a520e2299d3b2695f5d03a52097e14ad3da9

SHA512
31c423055de6c09c53509c1d411d72236fb2f765f01ac65fffe59bdfbcef04962ea53ad93e8862b73f844e593a086f50f90b8908eae78f9242baca10f911ed85

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
2a6936c23e5705ef6666e896b5262788

SHA1
13145cb5d282d81e22c4c74a4173bf259326dc51

SHA256
f07a5c53c08d00a85a417d995b13f7c6618fc60c9dacbe1a1cc63bf6c27e64ec

SHA512
240911cf21976f605383b3a40137876bd91f80574a89c9723215eccc0289ccb71a6f9a12d6ceac2710fc8efb0d9f4937778ac697b21183f35060ef59915f7428

Download Submit