neconyd | abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
Size

80KB
MD5

e18e24f356a8e8c63bf88dc297a899c4
SHA1

aa8aa79865cafe82a191a03dd1529fb3efa840a6
SHA256

abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4
SHA512

5ca22c975af625bb7cafae1976410233063e75b9ec21cfa5ec82855ffb39c9e1db83e789c8b5e7e24129ea3aacb8353da277829292c764611865acdb1b698c10
SSDEEP

1536:sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:UdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1724	omsecor.exe
2772	omsecor.exe
1916	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 1724	3972	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	84
PID 3972 wrote to memory of 1724	3972	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	84
PID 3972 wrote to memory of 1724	3972	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	84
PID 1724 wrote to memory of 2772	1724	omsecor.exe	102
PID 1724 wrote to memory of 2772	1724	omsecor.exe	102
PID 1724 wrote to memory of 2772	1724	omsecor.exe	102
PID 2772 wrote to memory of 1916	2772	omsecor.exe	103
PID 2772 wrote to memory of 1916	2772	omsecor.exe	103
PID 2772 wrote to memory of 1916	2772	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
"C:\Users\Admin\AppData\Local\Temp\abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
bc4d2aab5413908020a56ab96df182b4

SHA1
b0cc8fee0590557c273af5e53d7f36a1bd4b5501

SHA256
a713b6cb3a50d54af252fd0f6e9d9aed88310efc38fbf3cd7280b95754fb7bf8

SHA512
1b6c15ea1d1322663f967585de45f0e1a100e09868b86b8f7d7797b2a88cd5b23ec36b20f82d638dc6b22e93078e95fc498782fba7e7b20826554fa8ceeb33cb

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
c5b6a9b9748c845a0a90b1907243babb

SHA1
4255ca6ad793dce672631e9cb71fe65ab18f938b

SHA256
19a45e779ef49340cd281162b8f0a520e2299d3b2695f5d03a52097e14ad3da9

SHA512
31c423055de6c09c53509c1d411d72236fb2f765f01ac65fffe59bdfbcef04962ea53ad93e8862b73f844e593a086f50f90b8908eae78f9242baca10f911ed85

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
add1c5f43f34ddf089bb39eda6b50b5b

SHA1
a829e9d631b56bbfb027c8fb434965946c5d4750

SHA256
b72a0933ec9c0efbda3677eb24d231372c4313934210f489ff4300f02f1893af

SHA512
3270bcb9886b9cecdb759dadc7c45085c400a73586b676169d6bf1205930c6a5b39e6e4d247913b758a0312be2d14c26277690ca7be63505e96c97e8bde90d81

Download Submit