neconyd | 04fa89879d9bddd30b2d38f901a2fab449525b92dcaa89a5132d58cf2135ac30

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04d21740aea37873f548dcd73bdb0f90N.exe
Size

134KB
MD5

04d21740aea37873f548dcd73bdb0f90
SHA1

d4b1d81498bcf33094756f722229bf813af163b4
SHA256

04fa89879d9bddd30b2d38f901a2fab449525b92dcaa89a5132d58cf2135ac30
SHA512

7b95840aeac9fb90d8dee4b22804f6139f4c9ac4937376c0845c9359ef2db0152b6ebc8b9fb1417e6498f0cffbe14e18829dfc3dd506f7acfb9b41d7c4c5a745
SSDEEP

1536:5DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:piRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2724	omsecor.exe
2780	omsecor.exe
3020	omsecor.exe
480	omsecor.exe
2040	omsecor.exe
760	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2764	04d21740aea37873f548dcd73bdb0f90N.exe
2764	04d21740aea37873f548dcd73bdb0f90N.exe
2724	omsecor.exe
2780	omsecor.exe
2780	omsecor.exe
480	omsecor.exe
480	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 2764	2352	04d21740aea37873f548dcd73bdb0f90N.exe	30
PID 2724 set thread context of 2780	2724	omsecor.exe	32
PID 3020 set thread context of 480	3020	omsecor.exe	36
PID 2040 set thread context of 760	2040	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04d21740aea37873f548dcd73bdb0f90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04d21740aea37873f548dcd73bdb0f90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2764	2352	04d21740aea37873f548dcd73bdb0f90N.exe	30
PID 2352 wrote to memory of 2764	2352	04d21740aea37873f548dcd73bdb0f90N.exe	30
PID 2352 wrote to memory of 2764	2352	04d21740aea37873f548dcd73bdb0f90N.exe	30
PID 2352 wrote to memory of 2764	2352	04d21740aea37873f548dcd73bdb0f90N.exe	30
PID 2352 wrote to memory of 2764	2352	04d21740aea37873f548dcd73bdb0f90N.exe	30
PID 2352 wrote to memory of 2764	2352	04d21740aea37873f548dcd73bdb0f90N.exe	30
PID 2764 wrote to memory of 2724	2764	04d21740aea37873f548dcd73bdb0f90N.exe	31
PID 2764 wrote to memory of 2724	2764	04d21740aea37873f548dcd73bdb0f90N.exe	31
PID 2764 wrote to memory of 2724	2764	04d21740aea37873f548dcd73bdb0f90N.exe	31
PID 2764 wrote to memory of 2724	2764	04d21740aea37873f548dcd73bdb0f90N.exe	31
PID 2724 wrote to memory of 2780	2724	omsecor.exe	32
PID 2724 wrote to memory of 2780	2724	omsecor.exe	32
PID 2724 wrote to memory of 2780	2724	omsecor.exe	32
PID 2724 wrote to memory of 2780	2724	omsecor.exe	32
PID 2724 wrote to memory of 2780	2724	omsecor.exe	32
PID 2724 wrote to memory of 2780	2724	omsecor.exe	32
PID 2780 wrote to memory of 3020	2780	omsecor.exe	35
PID 2780 wrote to memory of 3020	2780	omsecor.exe	35
PID 2780 wrote to memory of 3020	2780	omsecor.exe	35
PID 2780 wrote to memory of 3020	2780	omsecor.exe	35
PID 3020 wrote to memory of 480	3020	omsecor.exe	36
PID 3020 wrote to memory of 480	3020	omsecor.exe	36
PID 3020 wrote to memory of 480	3020	omsecor.exe	36
PID 3020 wrote to memory of 480	3020	omsecor.exe	36
PID 3020 wrote to memory of 480	3020	omsecor.exe	36
PID 3020 wrote to memory of 480	3020	omsecor.exe	36
PID 480 wrote to memory of 2040	480	omsecor.exe	37
PID 480 wrote to memory of 2040	480	omsecor.exe	37
PID 480 wrote to memory of 2040	480	omsecor.exe	37
PID 480 wrote to memory of 2040	480	omsecor.exe	37
PID 2040 wrote to memory of 760	2040	omsecor.exe	38
PID 2040 wrote to memory of 760	2040	omsecor.exe	38
PID 2040 wrote to memory of 760	2040	omsecor.exe	38
PID 2040 wrote to memory of 760	2040	omsecor.exe	38
PID 2040 wrote to memory of 760	2040	omsecor.exe	38
PID 2040 wrote to memory of 760	2040	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\04d21740aea37873f548dcd73bdb0f90N.exe
"C:\Users\Admin\AppData\Local\Temp\04d21740aea37873f548dcd73bdb0f90N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\04d21740aea37873f548dcd73bdb0f90N.exe
  C:\Users\Admin\AppData\Local\Temp\04d21740aea37873f548dcd73bdb0f90N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
6a8fd538ced54e2d55c92241e979c0c2

SHA1
aae8fd739646026d3ba31970af2fc1774749d5e8

SHA256
2bd444629d307f575c03dad9704f67b844743eab723f80e79acea377a892aeb6

SHA512
c51aae3347993990995444ac084dbfdc1ceb73c9fd4672dba79a3e07eed1d301561eea6447b63fdd9f347e823561f327241cfba02876f57fae6ba9c206e1b3fe

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
b6c51de761b38e826903f61fd0936ea2

SHA1
8a60762f2d4d4e0f79746188397dd07a6f6b0bee

SHA256
7d752ff423c3e87fa0c32e8e94a1bbc10c8651fd2c9aaf50b3eef1010bf45358

SHA512
d5ee4b7d639418c4e49a4b3fa467bccf1bd2a8dff25ff454342cdfe4c9f113035c9f04d8b241c5e26d4d20fe018c0d7a5690849875eecdf2d3651d40ab0cd1cf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
877f3c2ed396dc2ddc70484f057e761a

SHA1
3850d6dbd0cdede7869c72a2cbcb425c7d02e439

SHA256
2ca93561abf8da57dc23cd6d107e8c806d5cf42769fd2e2327befe34c58ae5aa

SHA512
40a8cdd99aeb6bb2a75d1c1f1868181b8f5e2cd36f49421f0023e0f3bb5878666468b0c9d7ce61816cebe066d063f7b61d84650d02eb0a0a49a4fd38878c4890

Download Submit
memory/480-69-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/760-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2040-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2352-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2352-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2724-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2724-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2764-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2764-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2764-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2764-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2764-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2780-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2780-45-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/2780-52-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/2780-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2780-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2780-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3020-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3020-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download