neconyd | 29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
Size

96KB
MD5

686314d255c8dc7433a5589a68e2118f
SHA1

3bd6ad33bb317458e972e942e122a534b5dc2f8f
SHA256

29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc
SHA512

99a26a74d6e01acc6693298e1241ec5681bfb4b24797e76202bcac7db757f7e741b1bf4344aa7a75c9944d52d251db8e72c11711769e75f0035f6cc8ae36da48
SSDEEP

1536:0nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:0Gs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1268	omsecor.exe
2024	omsecor.exe
1152	omsecor.exe
2800	omsecor.exe
1840	omsecor.exe
2964	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1156	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
1156	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
1268	omsecor.exe
2024	omsecor.exe
2024	omsecor.exe
2800	omsecor.exe
2800	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 1156	2336	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 1268 set thread context of 2024	1268	omsecor.exe	32
PID 1152 set thread context of 2800	1152	omsecor.exe	36
PID 1840 set thread context of 2964	1840	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1156	2336	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 2336 wrote to memory of 1156	2336	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 2336 wrote to memory of 1156	2336	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 2336 wrote to memory of 1156	2336	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 2336 wrote to memory of 1156	2336	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 2336 wrote to memory of 1156	2336	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 1156 wrote to memory of 1268	1156	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	31
PID 1156 wrote to memory of 1268	1156	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	31
PID 1156 wrote to memory of 1268	1156	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	31
PID 1156 wrote to memory of 1268	1156	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	31
PID 1268 wrote to memory of 2024	1268	omsecor.exe	32
PID 1268 wrote to memory of 2024	1268	omsecor.exe	32
PID 1268 wrote to memory of 2024	1268	omsecor.exe	32
PID 1268 wrote to memory of 2024	1268	omsecor.exe	32
PID 1268 wrote to memory of 2024	1268	omsecor.exe	32
PID 1268 wrote to memory of 2024	1268	omsecor.exe	32
PID 2024 wrote to memory of 1152	2024	omsecor.exe	35
PID 2024 wrote to memory of 1152	2024	omsecor.exe	35
PID 2024 wrote to memory of 1152	2024	omsecor.exe	35
PID 2024 wrote to memory of 1152	2024	omsecor.exe	35
PID 1152 wrote to memory of 2800	1152	omsecor.exe	36
PID 1152 wrote to memory of 2800	1152	omsecor.exe	36
PID 1152 wrote to memory of 2800	1152	omsecor.exe	36
PID 1152 wrote to memory of 2800	1152	omsecor.exe	36
PID 1152 wrote to memory of 2800	1152	omsecor.exe	36
PID 1152 wrote to memory of 2800	1152	omsecor.exe	36
PID 2800 wrote to memory of 1840	2800	omsecor.exe	37
PID 2800 wrote to memory of 1840	2800	omsecor.exe	37
PID 2800 wrote to memory of 1840	2800	omsecor.exe	37
PID 2800 wrote to memory of 1840	2800	omsecor.exe	37
PID 1840 wrote to memory of 2964	1840	omsecor.exe	38
PID 1840 wrote to memory of 2964	1840	omsecor.exe	38
PID 1840 wrote to memory of 2964	1840	omsecor.exe	38
PID 1840 wrote to memory of 2964	1840	omsecor.exe	38
PID 1840 wrote to memory of 2964	1840	omsecor.exe	38
PID 1840 wrote to memory of 2964	1840	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
"C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
  C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
29b1b355833da1b72a5b3feed6b5e592

SHA1
e17a9b47aa5f75964084cd12a014779c141c8e28

SHA256
02adf171a2181bcfbc1c428b3e30c76df58bcc6aa674348236bd2f3408a07d25

SHA512
80071b57966561419d8ec9091d0eb44a4cd5f811796a274944c0f0580731f1523d1d2e2602b8522d30f3c10bd16e8852e3c3016821eae8da58f1b2b47f1ec3e0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
10c1d9395b24bac0a5a08bacee84ef1a

SHA1
d3617fea8eff52c3e1d335e2b5c5e0a311eff6a0

SHA256
c1c5b995f0bdc2690aa9f394849334c228108873aeac950871a33dd9b8752d77

SHA512
90216088dfb27de412def08ede1715d8a70c6f2cc9b09b22724a443b0a01bdca64a93827a3830889980f113b9db0ae24b1f0534011057ee0c45830781dbde109

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
3d03b896f0b8c1b7d2835a59db920a66

SHA1
6e4cd1c2b2dba6a03fa91444c3a970e95245c6a7

SHA256
ac37e7bcfa32b7eaee87d1595459e77c60da6ca86b67ce9a793b37886c03edf4

SHA512
e6054c6b25e1efb21f97339e0f978a6605d3275687fd90275b36d19e1d701674909e288e8f03b37e1853498bdf8cabad450992477b882208a62e03483ee5948d

Download Submit
memory/1152-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1156-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1156-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1156-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1156-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1156-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1268-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1268-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1268-33-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/1840-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2024-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-54-0x0000000002010000-0x0000000002033000-memory.dmp

Filesize
140KB

Download
memory/2024-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-52-0x0000000002010000-0x0000000002033000-memory.dmp

Filesize
140KB

Download
memory/2024-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2800-72-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2964-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2964-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download