neconyd | 1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
Size

72KB
MD5

75f834dcadb15ded5a93b83dea92f2a9
SHA1

1c9a84eb72387c06b5ced9f79fc3133126cdd0a8
SHA256

1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156
SHA512

6330659e957041092242056baa9e652dcd9bec7630de34e291512dec678bb3bfa3f9e461baf43c6c19ecf280cd423320dd7ac7f736f3d89c565993fa05e30d23
SSDEEP

1536:wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211F:wdseIOMEZEyFjEOFqTiQm5l/5211F

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
5104	omsecor.exe
5100	omsecor.exe
4924	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 5104	1364	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	83
PID 1364 wrote to memory of 5104	1364	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	83
PID 1364 wrote to memory of 5104	1364	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	83
PID 5104 wrote to memory of 5100	5104	omsecor.exe	100
PID 5104 wrote to memory of 5100	5104	omsecor.exe	100
PID 5104 wrote to memory of 5100	5104	omsecor.exe	100
PID 5100 wrote to memory of 4924	5100	omsecor.exe	101
PID 5100 wrote to memory of 4924	5100	omsecor.exe	101
PID 5100 wrote to memory of 4924	5100	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
"C:\Users\Admin\AppData\Local\Temp\1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
58e784edf3ca5134d02d5a0cef83a66c

SHA1
ccbf89a7580aa29d2a9abc82503edd786bd9c482

SHA256
95874164a3f232a229cd672df282859f8811149a52984e57a464d590487b0552

SHA512
2aba7933ce2b1bc76ff038fd9709170c0327d4d2a6c26e6dfe7ba0146837aa94ec8b7957d02a5ddef6e9c66c5a0b55c12f9d102a14658901b1c75f53ab2dff42

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
83b08750d85c9a8234bf8259874ed5e0

SHA1
35e613fdb856933de13d8815a1509582be68e5b9

SHA256
79031c2e02b44be9c964a7de95879af8f1444dc08961ea80b4171ed6b0802bc7

SHA512
c3843bbe64582d2fa7a12112a21bd09e8cf0c960e69ede3e1e6b3917d83eae1821c1761c11c559c1c7c270fba6ebeba8005fb3836b5a5d58986363804235fe64

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
44e25890d1af3f76cee43fc9fb182d60

SHA1
a6b81db5ad7d9653cbdeee5383b5ab5a687cbfac

SHA256
9a34c53de3642671265c350d9d62b5beaed3a006e294abb131fa58e3171f9f2e

SHA512
815ccb04d6f3788614018982404f7049fe5a5a4446cb68f61f705be9948f06b144dee07850bd1ff6b55c7cde3476a3ea9cf808e083753add7c249fa49e0a19a9

Download Submit