neconyd | 011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe
Size

71KB
MD5

7ddc1a5c59e68242c7687033f8af05c1
SHA1

643c3a979d53d748afcb2631343693a6a3cf210e
SHA256

011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681
SHA512

ec5a2dbae1a4715b409bfb892c2227ca9c98eba5a54853c5094e485a2fb09b92115c1b8edd7d4571c26ca1470d3251ce837f1c71e68f9a45ed7d815f4b750580
SSDEEP

1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHf:TdseIOMEZEyFjEOFqTiQmQDHIbHf

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
5100	omsecor.exe
2040	omsecor.exe
2400	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 5100	4812	011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe	84
PID 4812 wrote to memory of 5100	4812	011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe	84
PID 4812 wrote to memory of 5100	4812	011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe	84
PID 5100 wrote to memory of 2040	5100	omsecor.exe	102
PID 5100 wrote to memory of 2040	5100	omsecor.exe	102
PID 5100 wrote to memory of 2040	5100	omsecor.exe	102
PID 2040 wrote to memory of 2400	2040	omsecor.exe	103
PID 2040 wrote to memory of 2400	2040	omsecor.exe	103
PID 2040 wrote to memory of 2400	2040	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe
"C:\Users\Admin\AppData\Local\Temp\011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
0b063982ea381169d5b1b2d9750e9700

SHA1
5341e0ed4162611b367f5f6609ed53c199967c2b

SHA256
1c37c25ca820286f9014a35b9ae41bdada0039ceaf4790b71d4e00308babb58b

SHA512
55665ffd4c6dff5cd58e36fdada345401aa46f3b86b0db7b03b30a97874be81f7ccfbf10b974d9768206eb1ef4f95870a9ba2075c1082de99272e6154246da85

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
e5fa2528e594d55396f1ce884565d3bc

SHA1
4aec927bec4b5605893d4781dedd7dc017c3e2ca

SHA256
1beebee7485d2769b07c25af69a7c79e92da8d08ecc1ac20dbad9faad6f8ec42

SHA512
cfdbf0ef184448565fc62f0d153ff0bd959c2d6f9f0fa38a3e4eb2aadcb34a03d0a50a3e6b28af13d96af6ef547448da5ea91545149b337dce23765abaed6520

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
5c23ed507e3744b7d1d59750d9e8d863

SHA1
08a20bb8ca97f2ede240dc1d1ef3ba61fa113148

SHA256
4dcf7e679d638acf51a53eb9eab4dd96296d9529cc44da2996916e68da69d3c8

SHA512
24c42a1f94d8f4d3cac7ba47b2d1f6040332916ef539d7710fbedf5d59451cae9cf0d409b99b2a19de360a46808dc4967d777673745ef7079c8eec54525c5438

Download Submit
memory/2040-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2040-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2400-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2400-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4812-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4812-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5100-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5100-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5100-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download