neconyd | 05d68f3fc4cd2cb1094479cdd8c0df96409dcd683a7fdc9ce5bafaebfb2d3394

Analysis

max time kernel
113s
max time network
105s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cab2aca860b4b85603259bed9190ac90N.exe
Size

134KB
MD5

cab2aca860b4b85603259bed9190ac90
SHA1

b6412867db4bfbd05024a42567312306d73c1f60
SHA256

05d68f3fc4cd2cb1094479cdd8c0df96409dcd683a7fdc9ce5bafaebfb2d3394
SHA512

fd26f3d30d5cf19afe382cfe672f94edfc49226c9c228837531b0b66ccef91cbc99f465e5312bdfc69d802fb639f00d0329553b6e46b506a3479d1387e1d15bd
SSDEEP

1536:UDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:qiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
1520	omsecor.exe
768	omsecor.exe
1976	omsecor.exe
2104	omsecor.exe
2216	omsecor.exe
2060	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3056	cab2aca860b4b85603259bed9190ac90N.exe
3056	cab2aca860b4b85603259bed9190ac90N.exe
1520	omsecor.exe
768	omsecor.exe
768	omsecor.exe
2104	omsecor.exe
2104	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 3056	900	cab2aca860b4b85603259bed9190ac90N.exe	30
PID 1520 set thread context of 768	1520	omsecor.exe	32
PID 1976 set thread context of 2104	1976	omsecor.exe	36
PID 2216 set thread context of 2060	2216	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cab2aca860b4b85603259bed9190ac90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cab2aca860b4b85603259bed9190ac90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 3056	900	cab2aca860b4b85603259bed9190ac90N.exe	30
PID 900 wrote to memory of 3056	900	cab2aca860b4b85603259bed9190ac90N.exe	30
PID 900 wrote to memory of 3056	900	cab2aca860b4b85603259bed9190ac90N.exe	30
PID 900 wrote to memory of 3056	900	cab2aca860b4b85603259bed9190ac90N.exe	30
PID 900 wrote to memory of 3056	900	cab2aca860b4b85603259bed9190ac90N.exe	30
PID 900 wrote to memory of 3056	900	cab2aca860b4b85603259bed9190ac90N.exe	30
PID 3056 wrote to memory of 1520	3056	cab2aca860b4b85603259bed9190ac90N.exe	31
PID 3056 wrote to memory of 1520	3056	cab2aca860b4b85603259bed9190ac90N.exe	31
PID 3056 wrote to memory of 1520	3056	cab2aca860b4b85603259bed9190ac90N.exe	31
PID 3056 wrote to memory of 1520	3056	cab2aca860b4b85603259bed9190ac90N.exe	31
PID 1520 wrote to memory of 768	1520	omsecor.exe	32
PID 1520 wrote to memory of 768	1520	omsecor.exe	32
PID 1520 wrote to memory of 768	1520	omsecor.exe	32
PID 1520 wrote to memory of 768	1520	omsecor.exe	32
PID 1520 wrote to memory of 768	1520	omsecor.exe	32
PID 1520 wrote to memory of 768	1520	omsecor.exe	32
PID 768 wrote to memory of 1976	768	omsecor.exe	35
PID 768 wrote to memory of 1976	768	omsecor.exe	35
PID 768 wrote to memory of 1976	768	omsecor.exe	35
PID 768 wrote to memory of 1976	768	omsecor.exe	35
PID 1976 wrote to memory of 2104	1976	omsecor.exe	36
PID 1976 wrote to memory of 2104	1976	omsecor.exe	36
PID 1976 wrote to memory of 2104	1976	omsecor.exe	36
PID 1976 wrote to memory of 2104	1976	omsecor.exe	36
PID 1976 wrote to memory of 2104	1976	omsecor.exe	36
PID 1976 wrote to memory of 2104	1976	omsecor.exe	36
PID 2104 wrote to memory of 2216	2104	omsecor.exe	37
PID 2104 wrote to memory of 2216	2104	omsecor.exe	37
PID 2104 wrote to memory of 2216	2104	omsecor.exe	37
PID 2104 wrote to memory of 2216	2104	omsecor.exe	37
PID 2216 wrote to memory of 2060	2216	omsecor.exe	38
PID 2216 wrote to memory of 2060	2216	omsecor.exe	38
PID 2216 wrote to memory of 2060	2216	omsecor.exe	38
PID 2216 wrote to memory of 2060	2216	omsecor.exe	38
PID 2216 wrote to memory of 2060	2216	omsecor.exe	38
PID 2216 wrote to memory of 2060	2216	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\cab2aca860b4b85603259bed9190ac90N.exe
"C:\Users\Admin\AppData\Local\Temp\cab2aca860b4b85603259bed9190ac90N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\cab2aca860b4b85603259bed9190ac90N.exe
  C:\Users\Admin\AppData\Local\Temp\cab2aca860b4b85603259bed9190ac90N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
517ddd166517b254fda8cea1476a63e4

SHA1
d9aba00732c2ed2f1f6119580ca24dfdaa2b9878

SHA256
c8ddc30e771b95e350d11d386bd62c01be8bc31b1350227ed0213adadbbc3029

SHA512
0b8180493b41f63418058d7da40ba863ad49ccce0253d3b52a4f18bb3b637b3c1d8c0a77a346963f69edc042fed0d06aa65077a08721e9a31570368ba4638095

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
ea95c8ad18c8fed23e24e6d796ec954f

SHA1
2ef3974cdf0956601118a3c87ae9c1642ea120d9

SHA256
c2964fd1009443621d0cec2551d8e033d3f0a93a9a06dc799acfaf8b3020bbc0

SHA512
a1547d384d099d831d13847d1bfe7eb3ac3ad942a5f05ea2aac30c5589cf475eeb31a40e16fd008b588786a77a4aca6ab219753d7e6dc7e73050b329759a1d4d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
f1f2ab6ddef90b1b98961b9c43ec664d

SHA1
d8bf938035483609484ee3238f86b039a14fcc72

SHA256
3caa53369ed4fb10c9de21f751ea69f216ee3a819c750244a6b9fcdebcb83406

SHA512
56515e33a91368129aa1aa932c9c115dc61e59c8df33188b47cf437d9ec62361bfeadc23c1642cbcf362983e996fbc2ce49cabffe2251666d8daa955d5cab1b6

Download Submit
memory/768-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-46-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/768-53-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/768-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/900-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/900-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1520-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1520-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1976-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1976-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2060-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2104-70-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2216-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3056-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download