neconyd | 29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc

Analysis

max time kernel
115s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
Size

96KB
MD5

686314d255c8dc7433a5589a68e2118f
SHA1

3bd6ad33bb317458e972e942e122a534b5dc2f8f
SHA256

29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc
SHA512

99a26a74d6e01acc6693298e1241ec5681bfb4b24797e76202bcac7db757f7e741b1bf4344aa7a75c9944d52d251db8e72c11711769e75f0035f6cc8ae36da48
SSDEEP

1536:0nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:0Gs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3068	omsecor.exe
1716	omsecor.exe
892	omsecor.exe
2032	omsecor.exe
2008	omsecor.exe
2108	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1744	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
1744	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
3068	omsecor.exe
1716	omsecor.exe
1716	omsecor.exe
2032	omsecor.exe
2032	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 1744	2096	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 3068 set thread context of 1716	3068	omsecor.exe	32
PID 892 set thread context of 2032	892	omsecor.exe	36
PID 2008 set thread context of 2108	2008	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 1744	2096	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 2096 wrote to memory of 1744	2096	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 2096 wrote to memory of 1744	2096	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 2096 wrote to memory of 1744	2096	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 2096 wrote to memory of 1744	2096	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 2096 wrote to memory of 1744	2096	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	30
PID 1744 wrote to memory of 3068	1744	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	31
PID 1744 wrote to memory of 3068	1744	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	31
PID 1744 wrote to memory of 3068	1744	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	31
PID 1744 wrote to memory of 3068	1744	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	31
PID 3068 wrote to memory of 1716	3068	omsecor.exe	32
PID 3068 wrote to memory of 1716	3068	omsecor.exe	32
PID 3068 wrote to memory of 1716	3068	omsecor.exe	32
PID 3068 wrote to memory of 1716	3068	omsecor.exe	32
PID 3068 wrote to memory of 1716	3068	omsecor.exe	32
PID 3068 wrote to memory of 1716	3068	omsecor.exe	32
PID 1716 wrote to memory of 892	1716	omsecor.exe	35
PID 1716 wrote to memory of 892	1716	omsecor.exe	35
PID 1716 wrote to memory of 892	1716	omsecor.exe	35
PID 1716 wrote to memory of 892	1716	omsecor.exe	35
PID 892 wrote to memory of 2032	892	omsecor.exe	36
PID 892 wrote to memory of 2032	892	omsecor.exe	36
PID 892 wrote to memory of 2032	892	omsecor.exe	36
PID 892 wrote to memory of 2032	892	omsecor.exe	36
PID 892 wrote to memory of 2032	892	omsecor.exe	36
PID 892 wrote to memory of 2032	892	omsecor.exe	36
PID 2032 wrote to memory of 2008	2032	omsecor.exe	37
PID 2032 wrote to memory of 2008	2032	omsecor.exe	37
PID 2032 wrote to memory of 2008	2032	omsecor.exe	37
PID 2032 wrote to memory of 2008	2032	omsecor.exe	37
PID 2008 wrote to memory of 2108	2008	omsecor.exe	38
PID 2008 wrote to memory of 2108	2008	omsecor.exe	38
PID 2008 wrote to memory of 2108	2008	omsecor.exe	38
PID 2008 wrote to memory of 2108	2008	omsecor.exe	38
PID 2008 wrote to memory of 2108	2008	omsecor.exe	38
PID 2008 wrote to memory of 2108	2008	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
"C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
  C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:892
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
29b1b355833da1b72a5b3feed6b5e592

SHA1
e17a9b47aa5f75964084cd12a014779c141c8e28

SHA256
02adf171a2181bcfbc1c428b3e30c76df58bcc6aa674348236bd2f3408a07d25

SHA512
80071b57966561419d8ec9091d0eb44a4cd5f811796a274944c0f0580731f1523d1d2e2602b8522d30f3c10bd16e8852e3c3016821eae8da58f1b2b47f1ec3e0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1e5a853c629c5b3217c4c9619933358a

SHA1
130afeccf21da743c6162143bf1951245703ba05

SHA256
cb0834cdafe261edb0855c70e4454c5b31c5ad17d337790fa620792069af6f8e

SHA512
03a3df2b1187bcca43226cb0783f18b94b94f29a1459634a220f01386df1b93bcffeeb5313eced2b59c8223fb55494bdcb5014355c7101b9d48e54194019f480

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
595462230e0ea2236629f1abe4d5b643

SHA1
57f10afe0878e4446698d012d6b515a47578463d

SHA256
ac4775986a65ee9351b7c6e9daf474883b511b414c1e6e5a758dffd26f82ad18

SHA512
8ed80a1b419de4c1aba9a6423e342007832b0101bfd479ecd88123a369e2620e56abe0831a6f2db2a7080bb9d8507a739a2a371410a536ac9dd0c5ed30fd3a2d

Download Submit
memory/892-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/892-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1716-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-47-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/1716-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1744-20-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1744-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1744-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1744-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1744-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1744-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2008-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2008-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2032-72-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2096-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2096-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2108-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3068-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download