neconyd | 261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe
Size

76KB
MD5

fa3e88b79d7f31ed90462d41155ccfe0
SHA1

4619556e37f8549041b280b1626342c74e3bcb3c
SHA256

261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9
SHA512

0b90acec18ec4eaf607575bb13ecd581d192f8a6c06e637f3afbbf5970fd98f30fa018f1260cdd7cd2d9379b64363d1cdbe20aaa23d3258f04a8d212c80aa5be
SSDEEP

768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:MbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3512	omsecor.exe
4116	omsecor.exe
2068	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 3512	3300	261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe	82
PID 3300 wrote to memory of 3512	3300	261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe	82
PID 3300 wrote to memory of 3512	3300	261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe	82
PID 3512 wrote to memory of 4116	3512	omsecor.exe	92
PID 3512 wrote to memory of 4116	3512	omsecor.exe	92
PID 3512 wrote to memory of 4116	3512	omsecor.exe	92
PID 4116 wrote to memory of 2068	4116	omsecor.exe	93
PID 4116 wrote to memory of 2068	4116	omsecor.exe	93
PID 4116 wrote to memory of 2068	4116	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe
"C:\Users\Admin\AppData\Local\Temp\261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
16c6281dd14731c3d3cf5b069ae60804

SHA1
ba38a02e9a3439877b181a83ebe0e5d40d9e46fd

SHA256
b9a95ce6c7545b3d277142f52e5f35126a053346025d98e6212fedd693d52ff3

SHA512
f24b0e95ef311bc13af821e9306bb03b0caf7d6ee16e83943595c767cb97e1c6caee1793af3ca74c18119807de720525d3abe10a4c410bb44a695615856264c9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
690355737d2f814f310663bba1c6a360

SHA1
74e33198be7097aecf28ba8cac8504fa705ef8ed

SHA256
132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655

SHA512
4ba88aac4f4a493f851e8f7bba4c9366b1fae32e8d9badfbe0456d8703b2b41bb58e5222bc23dd6527ab2d84c0bacdebac38007cafa745a3543cb7d5c6429b5f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
1a36dffa8f168bdd65a2e8e219a9c2b2

SHA1
a35bbc0ec77a92a181ab9ab66bef17bcaf665367

SHA256
2a52e1b0a945b844a08930be812a31435c0b986206805f5ab881414facad16e0

SHA512
40013a4b8793f86d3d042ac5da0166ed091de04e326d9756642b6d179c8bb50764008225de5c34ae84575eadfc0b68bcaf758bdab2ea79027922058f074e416b

Download Submit