neconyd | 15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
Size

61KB
MD5

b43ae4bd2587aae0bb7cda53225bfb7e
SHA1

a7915c8f95202c58172bc6ffa283505e7874fb3a
SHA256

15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344
SHA512

21c0cb46e37862689cf1fb6f75692e3ff094298c5e263db46b2f0df6cca1e943ef1e170dfd2f330080db80aa40ce6b64d80b36073557538274fbba116e743b84
SSDEEP

1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZll/5:7dseIOMEZEyFjEOFqTiQmPl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3372	omsecor.exe
1280	omsecor.exe
3376	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 3372	3204	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe	83
PID 3204 wrote to memory of 3372	3204	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe	83
PID 3204 wrote to memory of 3372	3204	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe	83
PID 3372 wrote to memory of 1280	3372	omsecor.exe	101
PID 3372 wrote to memory of 1280	3372	omsecor.exe	101
PID 3372 wrote to memory of 1280	3372	omsecor.exe	101
PID 1280 wrote to memory of 3376	1280	omsecor.exe	102
PID 1280 wrote to memory of 3376	1280	omsecor.exe	102
PID 1280 wrote to memory of 3376	1280	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
"C:\Users\Admin\AppData\Local\Temp\15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
a3d38bfe4aafa6fe49a5865ae7ed744d

SHA1
7cdaef2013c06e82af12a0c33bbb28b2c0fe97ef

SHA256
1a726e737359f6617b02fd8d577faba4e05f8bdbc7f0bd5c319cb3173f8f4677

SHA512
31456f3f4be194710455cfa335756691efc15bf1622843d661cb6622c23ec755a99252e31d08af08c30dc1d778700aac4f16dc1ef90a0133780bdc03716b4f29

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e75c970bba40534408665e9780da0b9e

SHA1
14dfe6fee89cb45fe582844aeb9732941f34d86b

SHA256
fbe87e65078d3ea5eee27a339e541a95b3dffba4c91b3bc7a4d0ad50016d10c2

SHA512
ea214804fccaed5947da5e24641a712842cfad507e55029d21f201117d0a851ca7aaf515cdb62d44e8e342ac0719fa652e49a81c2a189e4b669359bfd558fca1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
291b44cf4242d867e7671984d548fd00

SHA1
c35cd40242b31597f041185a16c3dea86adf5766

SHA256
8c9bc8bb75a39f8e6aec443b110ff3a1eaa92f6e6fdd235d8dea323f6f18ed18

SHA512
46abf5e1115f21e13ddfd5288c143d34f8d583262d2bdd7426d3656aeb88ec0cbd1d57385ce358bc70ea8732f5b3bef10cb883133335356bf12d1d8b4831c169

Download Submit