neconyd | 1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
Size

72KB
MD5

75f834dcadb15ded5a93b83dea92f2a9
SHA1

1c9a84eb72387c06b5ced9f79fc3133126cdd0a8
SHA256

1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156
SHA512

6330659e957041092242056baa9e652dcd9bec7630de34e291512dec678bb3bfa3f9e461baf43c6c19ecf280cd423320dd7ac7f736f3d89c565993fa05e30d23
SSDEEP

1536:wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211F:wdseIOMEZEyFjEOFqTiQm5l/5211F

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1468	omsecor.exe
4596	omsecor.exe
2744	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1468	4028	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	82
PID 4028 wrote to memory of 1468	4028	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	82
PID 4028 wrote to memory of 1468	4028	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	82
PID 1468 wrote to memory of 4596	1468	omsecor.exe	92
PID 1468 wrote to memory of 4596	1468	omsecor.exe	92
PID 1468 wrote to memory of 4596	1468	omsecor.exe	92
PID 4596 wrote to memory of 2744	4596	omsecor.exe	93
PID 4596 wrote to memory of 2744	4596	omsecor.exe	93
PID 4596 wrote to memory of 2744	4596	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
"C:\Users\Admin\AppData\Local\Temp\1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
4a198a2a08e8cb0bba5e53500c0fadaf

SHA1
1e1925a3450008cca961f399b757d1d9af1c7df8

SHA256
39ae0b44e03690b3c9a3c92de775c1509319a6d7209b63f44f08c8a0e5baf719

SHA512
1852705e68a62d6f1389c2b197f69830a0d7af3c89c1549800b538186e31a003515af9554193c121e817a7dd0e93c361ec25ec5a8231cfa46c7805f4acd25eb3

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
83b08750d85c9a8234bf8259874ed5e0

SHA1
35e613fdb856933de13d8815a1509582be68e5b9

SHA256
79031c2e02b44be9c964a7de95879af8f1444dc08961ea80b4171ed6b0802bc7

SHA512
c3843bbe64582d2fa7a12112a21bd09e8cf0c960e69ede3e1e6b3917d83eae1821c1761c11c559c1c7c270fba6ebeba8005fb3836b5a5d58986363804235fe64

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
16b6511760b2fa6f89ec6f40fbc69388

SHA1
a2d7e522207206d57ba202cc497c85b2d3c385d5

SHA256
631399089579756563b74c8153b5cb443b50b1d0fbf5878aa49cf59c28261ac9

SHA512
5540cb87ea6a39a58b868752b064f2164f56dd4b6b275052800d3a7bd8fd29c7bfa10dbbee58ad9bc8fc5808b433273ca9da83fef7f37731738114ddb7e8ce54

Download Submit