neconyd | fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe
Size

80KB
MD5

b1f8acd97175c71200908ec76ccf7906
SHA1

6c276b3aa94849880068b9f1c25490cc4e9e7152
SHA256

fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe
SHA512

489d8d4f949677a5784035d297561d883c7260492247504c107918847b49d02fdea5cf1b553dabb7ba163d1108fb4c93e12253d03ca58582268308ada1dc4c9c
SSDEEP

768:tfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAO:tfbIvYvZEyFKF6N4yS+AQmZTl/5m

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4772	omsecor.exe
3000	omsecor.exe
1912	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 4772	2928	fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe	83
PID 2928 wrote to memory of 4772	2928	fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe	83
PID 2928 wrote to memory of 4772	2928	fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe	83
PID 4772 wrote to memory of 3000	4772	omsecor.exe	100
PID 4772 wrote to memory of 3000	4772	omsecor.exe	100
PID 4772 wrote to memory of 3000	4772	omsecor.exe	100
PID 3000 wrote to memory of 1912	3000	omsecor.exe	101
PID 3000 wrote to memory of 1912	3000	omsecor.exe	101
PID 3000 wrote to memory of 1912	3000	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe
"C:\Users\Admin\AppData\Local\Temp\fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
d7e912cd743b0bd5519d91debc0fc60c

SHA1
3f8d71605c781afd0336e98cb243ff9662ab4b8e

SHA256
cd1961b57e562b8b8f5d9cd0d76bb72b3c29879fee45c4fb5b21f1c95aa572d1

SHA512
c4af01cfb02b7bc12bede6e2a769c3137351fe3474a8d63c55ff3dde0d2abe5d729bd2c34d1a53a07ca1827a5218b1754a9b899041147e1b7c2930c9127f9da5

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
f769355d1e6c412d80086fdd3d4e3295

SHA1
f68bd478681f304b660ac64814dc4a2434507d5d

SHA256
4930fa8fc38453eb9cd216b34e294a61b37e1598745aa67c709f0489e1b8f4c2

SHA512
4aeca2c79b16a93860b1d2f997c810181dd53d9ed4c600454c5a01ba4eaefc53aeeba25efda4d779f00dcdfea4f91d6097f912bf7a897ba8af707626787fa565

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
c9f042ed5c9f6cd666493690e22944c0

SHA1
71c5fc743f1080cab8ae4e5d1ba14654e432c2f8

SHA256
9c9c75bc37c8dd6ad611c20c726dc724446cf09d7ea134f1dfa3eb33ac0647f1

SHA512
3328439af74c229a31ac5ef4bc1a733c6e32078f4179e2e6fb24c92e613e24031b75dfe0432093b98a7a7dc45bbc47edb29fafad845ff25416f68d5cdf3fc3eb

Download Submit