neconyd | 46f9c033ee6db48d111dde50b68ac790ae0b201954bc1501e30a7f70f4597a3a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b8000f9c01a420e8bbe8764221b88a0N.exe
Size

96KB
MD5

7b8000f9c01a420e8bbe8764221b88a0
SHA1

240e672471aceb45b4fd9a0d9a2f0cb8db994323
SHA256

46f9c033ee6db48d111dde50b68ac790ae0b201954bc1501e30a7f70f4597a3a
SHA512

58706788e8e445cd8914d63b4ad3002b30c246d4313c97768360fc3767c80c5dc49abfe5849ac695b91aafac59586af6598bcf73d8606b6969810a2a5ba3c33b
SSDEEP

1536:dnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:dGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2824	omsecor.exe
2756	omsecor.exe
496	omsecor.exe
1708	omsecor.exe
588	omsecor.exe
3064	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2144	7b8000f9c01a420e8bbe8764221b88a0N.exe
2144	7b8000f9c01a420e8bbe8764221b88a0N.exe
2824	omsecor.exe
2756	omsecor.exe
2756	omsecor.exe
1708	omsecor.exe
1708	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 2144	2644	7b8000f9c01a420e8bbe8764221b88a0N.exe	30
PID 2824 set thread context of 2756	2824	omsecor.exe	32
PID 496 set thread context of 1708	496	omsecor.exe	35
PID 588 set thread context of 3064	588	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b8000f9c01a420e8bbe8764221b88a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b8000f9c01a420e8bbe8764221b88a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2144	2644	7b8000f9c01a420e8bbe8764221b88a0N.exe	30
PID 2644 wrote to memory of 2144	2644	7b8000f9c01a420e8bbe8764221b88a0N.exe	30
PID 2644 wrote to memory of 2144	2644	7b8000f9c01a420e8bbe8764221b88a0N.exe	30
PID 2644 wrote to memory of 2144	2644	7b8000f9c01a420e8bbe8764221b88a0N.exe	30
PID 2644 wrote to memory of 2144	2644	7b8000f9c01a420e8bbe8764221b88a0N.exe	30
PID 2644 wrote to memory of 2144	2644	7b8000f9c01a420e8bbe8764221b88a0N.exe	30
PID 2144 wrote to memory of 2824	2144	7b8000f9c01a420e8bbe8764221b88a0N.exe	31
PID 2144 wrote to memory of 2824	2144	7b8000f9c01a420e8bbe8764221b88a0N.exe	31
PID 2144 wrote to memory of 2824	2144	7b8000f9c01a420e8bbe8764221b88a0N.exe	31
PID 2144 wrote to memory of 2824	2144	7b8000f9c01a420e8bbe8764221b88a0N.exe	31
PID 2824 wrote to memory of 2756	2824	omsecor.exe	32
PID 2824 wrote to memory of 2756	2824	omsecor.exe	32
PID 2824 wrote to memory of 2756	2824	omsecor.exe	32
PID 2824 wrote to memory of 2756	2824	omsecor.exe	32
PID 2824 wrote to memory of 2756	2824	omsecor.exe	32
PID 2824 wrote to memory of 2756	2824	omsecor.exe	32
PID 2756 wrote to memory of 496	2756	omsecor.exe	34
PID 2756 wrote to memory of 496	2756	omsecor.exe	34
PID 2756 wrote to memory of 496	2756	omsecor.exe	34
PID 2756 wrote to memory of 496	2756	omsecor.exe	34
PID 496 wrote to memory of 1708	496	omsecor.exe	35
PID 496 wrote to memory of 1708	496	omsecor.exe	35
PID 496 wrote to memory of 1708	496	omsecor.exe	35
PID 496 wrote to memory of 1708	496	omsecor.exe	35
PID 496 wrote to memory of 1708	496	omsecor.exe	35
PID 496 wrote to memory of 1708	496	omsecor.exe	35
PID 1708 wrote to memory of 588	1708	omsecor.exe	36
PID 1708 wrote to memory of 588	1708	omsecor.exe	36
PID 1708 wrote to memory of 588	1708	omsecor.exe	36
PID 1708 wrote to memory of 588	1708	omsecor.exe	36
PID 588 wrote to memory of 3064	588	omsecor.exe	37
PID 588 wrote to memory of 3064	588	omsecor.exe	37
PID 588 wrote to memory of 3064	588	omsecor.exe	37
PID 588 wrote to memory of 3064	588	omsecor.exe	37
PID 588 wrote to memory of 3064	588	omsecor.exe	37
PID 588 wrote to memory of 3064	588	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\7b8000f9c01a420e8bbe8764221b88a0N.exe
"C:\Users\Admin\AppData\Local\Temp\7b8000f9c01a420e8bbe8764221b88a0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\7b8000f9c01a420e8bbe8764221b88a0N.exe
  C:\Users\Admin\AppData\Local\Temp\7b8000f9c01a420e8bbe8764221b88a0N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:496
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a79b7af97a011e7a11c9fd66593bcd8f

SHA1
583f277858345e5d0c9ea112c7ccccf402a2c4eb

SHA256
ecaaae649f6dcb9398e214c2ae4b7966406d2323db6bbd12194003a0c851f92d

SHA512
cb3ae471b70e68aa2dc2f5247f305aa0413ada5f80b1b3ae54c5221f7fc118f9f4c8caf17ccc1b1c3bcae224fe0a0a00848db0dd3b5cd965eedf01173f3adf23

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
22a9cd67e36e02fe6e9d5233cdeca766

SHA1
e3682b77c71555f72a1cade9ddb537e0114ed112

SHA256
22aaeb813a8d3021af55e77f537b2677a888e1457aa77ed1dc2a68f5354f6199

SHA512
c1541fecf1efe2ece52b9d65694fb86ddcc6581a711c828f45dc89e717e8931ea67113f53396a83d4487b6f312a435d6d576f14de6b20cf5191d11cbb595b9d8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2e4f4862a9def0229e443f374145a9ee

SHA1
04028689bd1f09ef7ac8842adbda40b70f26d9d5

SHA256
bf534bb58149f8620e8321aa6821c0a6cf3fe2711365c918bae7320abae1d662

SHA512
bb480b9dc5434eec5a946f036708f9091a3b558b8a21ae4c3a3931a4f8b319ba705dabd018102c096d45a634810b888ace237d2c6c994fcd375de34dc71c89ea

Download Submit
memory/496-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/588-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/588-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2144-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2144-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-2-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2644-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2644-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2756-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-47-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2756-57-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2756-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-89-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2824-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2824-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3064-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download