neconyd | b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe
Size

76KB
MD5

1db49f4dbdeb0bb3961f6e1b06ae516b
SHA1

0c139e5e310812636f56024d31fa5d6c88420fec
SHA256

b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051
SHA512

fa3b5f209f8df73aeeae7ed84a970fef36ad4abe329d53daf92253f65041bbf027631a9522e5d63c3a1baa20487d7148906b0af134c3bc603c8537b9ddf9535a
SSDEEP

768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWJ:MbIvYvZEyFKF6N4yS+AQmZTl/5OJ

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3640	omsecor.exe
4348	omsecor.exe
976	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 3640	1096	b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe	83
PID 1096 wrote to memory of 3640	1096	b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe	83
PID 1096 wrote to memory of 3640	1096	b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe	83
PID 3640 wrote to memory of 4348	3640	omsecor.exe	93
PID 3640 wrote to memory of 4348	3640	omsecor.exe	93
PID 3640 wrote to memory of 4348	3640	omsecor.exe	93
PID 4348 wrote to memory of 976	4348	omsecor.exe	94
PID 4348 wrote to memory of 976	4348	omsecor.exe	94
PID 4348 wrote to memory of 976	4348	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe
"C:\Users\Admin\AppData\Local\Temp\b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
6f7c7660e7766d44aec6eb26b048a8e0

SHA1
cef0a7bb89190e97204b5ffb8003b92044e71cfd

SHA256
bca31885eaa9ad330e3920671aa07933bd2bacdf2651427a25258f33d2c83e8a

SHA512
bb515fdd7c092186b2fb0d9c5c47a147874a8a9fb2aef85a5d73a1430a2b7c3021de7071fea310a334d6c7502a19e65cc0d27393ed8f10e797a19cd700584012

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
8486bc990cc2239c6ae8c11925e2c3ac

SHA1
ae4a7f3aab01d78435d383c358969e558b7a64a8

SHA256
5e42eead044de70b980038c97bbe1ce922ea9d08a17b8d20dae6e92ecbf33af8

SHA512
9e3030901bc9f927863fc88e605408f8d350d6c318e9e079871f886b2a6f5e4b3d8e147e1d94a595d9ee0ae3d39d957c2c8f012cdd41590027a4c57f04303778

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
df106ab6da586bbb8966edd42fc0dcab

SHA1
ba2cfc0f33d92cb406974fb6c6a693de97d71382

SHA256
614bbd881f8d35609fafe83da3b4781e8dea487fc3f8f9f359370c4cba95da33

SHA512
773bdbb2d22c346f9fb3a43b53a0c53f2d48b8b8c29dad2a7401dd083965c99e02b95ae015810af210dc1a6ef9c2398d69f2560fbc54e16910414ce14b0cb838

Download Submit