neconyd | ed65551c6e02771116ae3e8961488194a58b82063f38f992d0388bef972819ed

Analysis

max time kernel
149s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed65551c6e02771116ae3e8961488194a58b82063f38f992d0388bef972819ed.exe
Size

71KB
MD5

962086da916bed4b6c8c4a31b7b2dfd3
SHA1

53fbbeb2ac17f172397f6d7129f17aa2be6cde93
SHA256

ed65551c6e02771116ae3e8961488194a58b82063f38f992d0388bef972819ed
SHA512

425e33623bf1636caf95096a06426bc0e200e0aab92fe1a564e2e4685f010d1041f4b0fe37ad1dad36fa6aee5f78d22cfaabb7b1c97481b47f8b9234b15e390e
SSDEEP

1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:7dseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4684	omsecor.exe
4256	omsecor.exe
4848	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed65551c6e02771116ae3e8961488194a58b82063f38f992d0388bef972819ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 4684	2716	ed65551c6e02771116ae3e8961488194a58b82063f38f992d0388bef972819ed.exe	85
PID 2716 wrote to memory of 4684	2716	ed65551c6e02771116ae3e8961488194a58b82063f38f992d0388bef972819ed.exe	85
PID 2716 wrote to memory of 4684	2716	ed65551c6e02771116ae3e8961488194a58b82063f38f992d0388bef972819ed.exe	85
PID 4684 wrote to memory of 4256	4684	omsecor.exe	101
PID 4684 wrote to memory of 4256	4684	omsecor.exe	101
PID 4684 wrote to memory of 4256	4684	omsecor.exe	101
PID 4256 wrote to memory of 4848	4256	omsecor.exe	102
PID 4256 wrote to memory of 4848	4256	omsecor.exe	102
PID 4256 wrote to memory of 4848	4256	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\ed65551c6e02771116ae3e8961488194a58b82063f38f992d0388bef972819ed.exe
"C:\Users\Admin\AppData\Local\Temp\ed65551c6e02771116ae3e8961488194a58b82063f38f992d0388bef972819ed.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
8598027d22eaf5fb0b72812a4cc41aa1

SHA1
57ad0ebc81dbff954b9a81819b098406de4b679a

SHA256
68356a24ce66385169479ef115b30635ca78b5e8a60cf5929aa21444ccc37c91

SHA512
e1e6985e1acaaa38ff95a94b18348bd97282ab081a4fcb7c7219f513c9f84e280baf271841c914752fbbe9f026181ed23b2189c807b17d0930a9fdb1c4ff3698

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
e9926345319be474a0b6743330de67f9

SHA1
3d577ecdf8ef9a54ba3446badbc34555e8f25b38

SHA256
405fa5f56b2e411e2057a56c17d41625837ccfd196e89450bc0aa168803a244d

SHA512
2a3fcabd95f304804503f3d39361c54296831cdf6f2dbbd0907358f83e130f802a574dbd6c8c6bd08e997e6eda1f173fb050639020a03921b94293b1b7df43ac

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
ff00d0827a4b12dcea0f63c0162333c8

SHA1
414d8709be10380208ff762008f001dbce7d96ee

SHA256
8d0de113719dd9ac74290d8030b8cf845cb0f4939d3012c5c4489076e7a6dba0

SHA512
07a31b849a476da71427177973b0e7e688be21201857b156254c8fedb5751f3f6a20168d784959f12857c8b8613edc8910b02aae7bab2668b590cb29a0c2a3aa

Download Submit
memory/2716-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2716-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4256-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4256-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4684-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4684-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4684-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4848-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4848-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download