neconyd | efbccf57d9e7fdfe4fbf2457a06b3daba7a5d1a2c1112c058b8c8401e630ee86

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c465ff2dd75a6203c1607f802ba2aec0N.exe
Size

96KB
MD5

c465ff2dd75a6203c1607f802ba2aec0
SHA1

b3c81a03cd5d48ce54e630807d3369a6f27de4c1
SHA256

efbccf57d9e7fdfe4fbf2457a06b3daba7a5d1a2c1112c058b8c8401e630ee86
SHA512

4292df9f488478f30d0754cec0d5a3f7030e231474d02c5944bc3ff8081448b0cc8991173919616e0e1ceab5cae8920b2ed7d4f140b575c15b833bf48ee08ef5
SSDEEP

1536:PnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:PGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2152	omsecor.exe
3016	omsecor.exe
1840	omsecor.exe
2680	omsecor.exe
1696	omsecor.exe
2856	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2148	c465ff2dd75a6203c1607f802ba2aec0N.exe
2148	c465ff2dd75a6203c1607f802ba2aec0N.exe
2152	omsecor.exe
3016	omsecor.exe
3016	omsecor.exe
2680	omsecor.exe
2680	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 2148	1704	c465ff2dd75a6203c1607f802ba2aec0N.exe	30
PID 2152 set thread context of 3016	2152	omsecor.exe	32
PID 1840 set thread context of 2680	1840	omsecor.exe	36
PID 1696 set thread context of 2856	1696	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c465ff2dd75a6203c1607f802ba2aec0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c465ff2dd75a6203c1607f802ba2aec0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2148	1704	c465ff2dd75a6203c1607f802ba2aec0N.exe	30
PID 1704 wrote to memory of 2148	1704	c465ff2dd75a6203c1607f802ba2aec0N.exe	30
PID 1704 wrote to memory of 2148	1704	c465ff2dd75a6203c1607f802ba2aec0N.exe	30
PID 1704 wrote to memory of 2148	1704	c465ff2dd75a6203c1607f802ba2aec0N.exe	30
PID 1704 wrote to memory of 2148	1704	c465ff2dd75a6203c1607f802ba2aec0N.exe	30
PID 1704 wrote to memory of 2148	1704	c465ff2dd75a6203c1607f802ba2aec0N.exe	30
PID 2148 wrote to memory of 2152	2148	c465ff2dd75a6203c1607f802ba2aec0N.exe	31
PID 2148 wrote to memory of 2152	2148	c465ff2dd75a6203c1607f802ba2aec0N.exe	31
PID 2148 wrote to memory of 2152	2148	c465ff2dd75a6203c1607f802ba2aec0N.exe	31
PID 2148 wrote to memory of 2152	2148	c465ff2dd75a6203c1607f802ba2aec0N.exe	31
PID 2152 wrote to memory of 3016	2152	omsecor.exe	32
PID 2152 wrote to memory of 3016	2152	omsecor.exe	32
PID 2152 wrote to memory of 3016	2152	omsecor.exe	32
PID 2152 wrote to memory of 3016	2152	omsecor.exe	32
PID 2152 wrote to memory of 3016	2152	omsecor.exe	32
PID 2152 wrote to memory of 3016	2152	omsecor.exe	32
PID 3016 wrote to memory of 1840	3016	omsecor.exe	35
PID 3016 wrote to memory of 1840	3016	omsecor.exe	35
PID 3016 wrote to memory of 1840	3016	omsecor.exe	35
PID 3016 wrote to memory of 1840	3016	omsecor.exe	35
PID 1840 wrote to memory of 2680	1840	omsecor.exe	36
PID 1840 wrote to memory of 2680	1840	omsecor.exe	36
PID 1840 wrote to memory of 2680	1840	omsecor.exe	36
PID 1840 wrote to memory of 2680	1840	omsecor.exe	36
PID 1840 wrote to memory of 2680	1840	omsecor.exe	36
PID 1840 wrote to memory of 2680	1840	omsecor.exe	36
PID 2680 wrote to memory of 1696	2680	omsecor.exe	37
PID 2680 wrote to memory of 1696	2680	omsecor.exe	37
PID 2680 wrote to memory of 1696	2680	omsecor.exe	37
PID 2680 wrote to memory of 1696	2680	omsecor.exe	37
PID 1696 wrote to memory of 2856	1696	omsecor.exe	38
PID 1696 wrote to memory of 2856	1696	omsecor.exe	38
PID 1696 wrote to memory of 2856	1696	omsecor.exe	38
PID 1696 wrote to memory of 2856	1696	omsecor.exe	38
PID 1696 wrote to memory of 2856	1696	omsecor.exe	38
PID 1696 wrote to memory of 2856	1696	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\c465ff2dd75a6203c1607f802ba2aec0N.exe
"C:\Users\Admin\AppData\Local\Temp\c465ff2dd75a6203c1607f802ba2aec0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\c465ff2dd75a6203c1607f802ba2aec0N.exe
  C:\Users\Admin\AppData\Local\Temp\c465ff2dd75a6203c1607f802ba2aec0N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
71f3c35c8f2014ae2bf9cad875386c99

SHA1
e0756f4227e8616aa00b0f0a9b4f171225fc3d14

SHA256
622dc432a168e9149d4a532546b970b73c7699444805f211e248a04fcb835053

SHA512
d1c81e624b6a5ae3e96150caf939893d794bff24af720639cab275fb198ba2e6c63987be4883c468433e47daaaa4046c26d4d6d54caed645f8ea4502c9dc5cfb

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c421e3403798c5fd4fce4d192112b10c

SHA1
f4e74bb67c9cc2c7246c833bf4c97a65886251c5

SHA256
0427f943e323db3ba90d1340f683f2100a419fc14f0d3c13327d93a9a8aef428

SHA512
a410716bf34f0aac9e9623492061c18a53b853406b0678c5be8332400d26e4fc65bf571e01daa963779bf4037ffa645f81a02265174cd2db2ec8c746525f7aa3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
61b1fa02f537de5fcf30e736524c0a23

SHA1
726c0f9e4f43fc94d8f4a88e587cd1e7f0f04f12

SHA256
7356c01cef8462bd7e5ae987b47699be889be0dbe4f290a801775813ce72043a

SHA512
6d65f29fe474119fdc013aed109db34887ed6bbd80cff9aee9e1a08f49d79d9ebd532471fd3cc08cfd21316c67f373bd6c26c73598a7ab2762948ee38e79088d

Download Submit
memory/1696-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1704-1-0x0000000000260000-0x0000000000283000-memory.dmp

Filesize
140KB

Download
memory/1704-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1704-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1840-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1840-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2148-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2148-15-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2148-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2152-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2152-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2680-74-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2856-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-49-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/3016-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download