neconyd | 97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6e

Resubmissions

30-12-2024 19:55

241230-ynjymsynaw 10

30-12-2024 19:53

241230-yl7a6aymdw 10

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6eN.exe
Size

65KB
MD5

776343c921e3360282ec794ca27f70e0
SHA1

8f7c99f9c71d7444aa25af261bd0b17571b76127
SHA256

97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6e
SHA512

1a4023d9617fa52b54d1405a7790b57e197b6fb91489b698d50712d079766ec4e789351c27aee1adef26ee4ba701cfaea4a21faba9b0d1e7021a31ae32479307
SSDEEP

1536:Od9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:WdseIO+EZEyFjEOFqTiQmRHz

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1724	omsecor.exe
1936	omsecor.exe
1208	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2888	97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6eN.exe
2888	97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6eN.exe
1724	omsecor.exe
1724	omsecor.exe
1936	omsecor.exe
1936	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1724	2888	97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6eN.exe	31
PID 2888 wrote to memory of 1724	2888	97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6eN.exe	31
PID 2888 wrote to memory of 1724	2888	97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6eN.exe	31
PID 2888 wrote to memory of 1724	2888	97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6eN.exe	31
PID 1724 wrote to memory of 1936	1724	omsecor.exe	34
PID 1724 wrote to memory of 1936	1724	omsecor.exe	34
PID 1724 wrote to memory of 1936	1724	omsecor.exe	34
PID 1724 wrote to memory of 1936	1724	omsecor.exe	34
PID 1936 wrote to memory of 1208	1936	omsecor.exe	35
PID 1936 wrote to memory of 1208	1936	omsecor.exe	35
PID 1936 wrote to memory of 1208	1936	omsecor.exe	35
PID 1936 wrote to memory of 1208	1936	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6eN.exe
"C:\Users\Admin\AppData\Local\Temp\97b187e01326280b838be47599ab5eae9890bffeb9827f2df247554de5c67a6eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
01652a2dbe84b8a859a9b71098dcf14c

SHA1
9c9b5dca8f8659582d86e47f1bd9a3b35f2a9c38

SHA256
97bf0ff4d5aa12f0263d62426889aeb3c7bbf4a744a689d607057ab0056742c9

SHA512
48276578a5415feb2f3c538a8f44d311d5cc119c6cba583abd541c9c24eabf7759bcb3eaacb189f6be1122accdfd4dc91c8e3bc3d54f98f31f2fe4bfc53b776c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
c76f2b43fe2d5da739d9c290752bd066

SHA1
0ddcd7b9b4deb195ebece44dbfd90e8a8a996ad5

SHA256
8a8d1d1ea8186897dd5e33de4c77f8afe50ff6af0601d882fea94c9f65f8c33d

SHA512
da06d22bb501f77b9bee1ded8fb7bc8d08794b119ddd81bb0b43bd2829a29b36d9292263214416da96da9599580927d20f42e1c46322d0dbcad0782648f5ca88

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
82cfb9a03fc8bf537ae98228a02d4549

SHA1
dbc6232dd3c506099df966810bf097660a8e03e4

SHA256
dea470732388ccfce8c5502d8bf6a785b1f8ceb6e4732949c1ae4ee77f2b960f

SHA512
a57b24c66bff9714d17a378930f0ca5a855d6953c84439ea3ed9b3b6c7a858dbb82f7ebdf0312eb3e0dc622400405a4d0bfdaf4d5de97ca116e24dbc32823c6e

Download Submit
memory/1208-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1208-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1724-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1724-18-0x0000000002070000-0x000000000209A000-memory.dmp

Filesize
168KB

Download
memory/1724-23-0x0000000002070000-0x000000000209A000-memory.dmp

Filesize
168KB

Download
memory/1724-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1936-29-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/1936-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-4-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download