neconyd | 87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe
Size

65KB
MD5

f4d23a12b91eabc6b0ab6d74b3165840
SHA1

e3e5761bb1d5155fc4f8d83ee53877bcbf8aeeca
SHA256

87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd
SHA512

62cc1168ad0c21ca1dbd636b453577d147e2b4d15c17f6e26b516f9f8bb7417b843235aebd4c50f4b8a8986d06b84cc4b810ed240faac4ba643728f489b93886
SSDEEP

1536:Od9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:WdseIO+EZEyFjEOFqTiQmRHzl

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4668	omsecor.exe
4992	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4668	3164	87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe	83
PID 3164 wrote to memory of 4668	3164	87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe	83
PID 3164 wrote to memory of 4668	3164	87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe	83
PID 4668 wrote to memory of 4992	4668	omsecor.exe	101
PID 4668 wrote to memory of 4992	4668	omsecor.exe	101
PID 4668 wrote to memory of 4992	4668	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe
"C:\Users\Admin\AppData\Local\Temp\87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
6f0742dda9615f89331da8e2fab0f796

SHA1
80ba2d59dac3684101f0abac1481bb8c652593f1

SHA256
261cf7133a4f55df9cc3fc72cc58991bbd69789f9098e1064a058321b2e24ff3

SHA512
64e945e6acd96b291abd5fe3b9342b0474af9afae82b188bd23ebc6d1735c5b8a60654b43d8de3f0670ba286f894c86b1c1e837195b5b9e94cee61e3cbf0be3a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
c1e55c21e3442b96f2dd26b57ac531c1

SHA1
1cc845020f68a893fe751f851383196dccff8bd3

SHA256
4a2cdec670d2f2f6632fa76b0f9a27ab0b39ac9ffd55decc5d9d56b186ba9285

SHA512
857bc70f51ad08e289728f0c23eeb5661867cba14a52716dff231668061edf5af37565923d9419b29d12ffbb2b1d8200bb1a39c131594ed126b16354f5a0ec1c

Download Submit
memory/3164-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3164-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4668-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4668-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4668-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4992-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4992-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download