neconyd | 132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe
Size

76KB
MD5

690355737d2f814f310663bba1c6a360
SHA1

74e33198be7097aecf28ba8cac8504fa705ef8ed
SHA256

132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655
SHA512

4ba88aac4f4a493f851e8f7bba4c9366b1fae32e8d9badfbe0456d8703b2b41bb58e5222bc23dd6527ab2d84c0bacdebac38007cafa745a3543cb7d5c6429b5f
SSDEEP

768:AMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:AbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2716	omsecor.exe
1084	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 2716	4376	132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe	82
PID 4376 wrote to memory of 2716	4376	132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe	82
PID 4376 wrote to memory of 2716	4376	132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe	82
PID 2716 wrote to memory of 1084	2716	omsecor.exe	92
PID 2716 wrote to memory of 1084	2716	omsecor.exe	92
PID 2716 wrote to memory of 1084	2716	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe
"C:\Users\Admin\AppData\Local\Temp\132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
80b2cd4a7505b51896eb1fc187e13082

SHA1
449e6fc05dc0d9fdaea6904e0f4d053c9aa00203

SHA256
b0f3dc1e3997e6b2099b5d1eadca8ba05d445affdebfbfc71a9f651a5dc625c5

SHA512
2001d4df818501388fee016012f6bed2e84309e3633e5f6c779d49db819577db0facb3fda4dc32c52a63dfade807cb23fd81a57b8bf26729a37f4a5f67d8b78c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
69f67c3b2eb8169d7d2aa8b2ec4ecc59

SHA1
b36eacaf6b2e8d9465e8a31148340af7f0298ff0

SHA256
b2d5a071d8c9eaf09910b27c5a282e28d4ee8cc733e864f54eb7a4a090d46945

SHA512
f2f85e813692a8e1de747db6f4ba535f933b764ae5e84ff2023f03100330b41222f1a24810faf6f2b77cd894bcf88b2bbf026f1eb79ff4b99e1c5c33938b3e04

Download Submit