neconyd | 15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
Size

61KB
MD5

b43ae4bd2587aae0bb7cda53225bfb7e
SHA1

a7915c8f95202c58172bc6ffa283505e7874fb3a
SHA256

15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344
SHA512

21c0cb46e37862689cf1fb6f75692e3ff094298c5e263db46b2f0df6cca1e943ef1e170dfd2f330080db80aa40ce6b64d80b36073557538274fbba116e743b84
SSDEEP

1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZll/5:7dseIOMEZEyFjEOFqTiQmPl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
3044	omsecor.exe
2148	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3044	3396	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe	83
PID 3396 wrote to memory of 3044	3396	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe	83
PID 3396 wrote to memory of 3044	3396	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe	83
PID 3044 wrote to memory of 2148	3044	omsecor.exe	101
PID 3044 wrote to memory of 2148	3044	omsecor.exe	101
PID 3044 wrote to memory of 2148	3044	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
"C:\Users\Admin\AppData\Local\Temp\15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e75c970bba40534408665e9780da0b9e

SHA1
14dfe6fee89cb45fe582844aeb9732941f34d86b

SHA256
fbe87e65078d3ea5eee27a339e541a95b3dffba4c91b3bc7a4d0ad50016d10c2

SHA512
ea214804fccaed5947da5e24641a712842cfad507e55029d21f201117d0a851ca7aaf515cdb62d44e8e342ac0719fa652e49a81c2a189e4b669359bfd558fca1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
c10ff2562703eb8b0b361be10c90f12e

SHA1
67b2a0c118f7b91c3076926df95acc228cfacd85

SHA256
9771685933d98171f0a49490e5465610bdc0a141040e92401577b2a48e396c70

SHA512
855b6275d4a17fc02fa2dc95b55f5e9bcb2178594d377098e0f8e6c81da49ba5295e0f2b05507efe5fe22400901c18cc44db0194c6532a33cda96cd3440f5f4c

Download Submit