neconyd | c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07

Analysis

max time kernel
87s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
Size

96KB
MD5

7beb27f76749602f71e980c0e44bae64
SHA1

dc19c7789d666a544e2ed9d2c35348cbafc3f955
SHA256

c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07
SHA512

ac4815f8b935871d0281d0efc88dae08a84fd6fbfff871019b0bcfeb78a42e7a4463fc9ec68f5e8145d4673a358262db340f583a99b3a534b3c691b4adba3856
SSDEEP

1536:RnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:RGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid	Process
2756	omsecor.exe
2928	omsecor.exe
3024	omsecor.exe
3004	omsecor.exe
2352	omsecor.exe
2064	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exeomsecor.exeomsecor.exeomsecor.exe

pid	Process
1428	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
1428	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
2756	omsecor.exe
2928	omsecor.exe
2928	omsecor.exe
3004	omsecor.exe
3004	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	Process	procid_target
PID 1656 set thread context of 1428	1656	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	29
PID 2756 set thread context of 2928	2756	omsecor.exe	31
PID 3024 set thread context of 3004	3024	omsecor.exe	34
PID 2352 set thread context of 2064	2352	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exec05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exec05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exec05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	Process	procid_target
PID 1656 wrote to memory of 1428	1656	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	29
PID 1656 wrote to memory of 1428	1656	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	29
PID 1656 wrote to memory of 1428	1656	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	29
PID 1656 wrote to memory of 1428	1656	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	29
PID 1656 wrote to memory of 1428	1656	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	29
PID 1656 wrote to memory of 1428	1656	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	29
PID 1428 wrote to memory of 2756	1428	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	30
PID 1428 wrote to memory of 2756	1428	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	30
PID 1428 wrote to memory of 2756	1428	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	30
PID 1428 wrote to memory of 2756	1428	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	30
PID 2756 wrote to memory of 2928	2756	omsecor.exe	31
PID 2756 wrote to memory of 2928	2756	omsecor.exe	31
PID 2756 wrote to memory of 2928	2756	omsecor.exe	31
PID 2756 wrote to memory of 2928	2756	omsecor.exe	31
PID 2756 wrote to memory of 2928	2756	omsecor.exe	31
PID 2756 wrote to memory of 2928	2756	omsecor.exe	31
PID 2928 wrote to memory of 3024	2928	omsecor.exe	33
PID 2928 wrote to memory of 3024	2928	omsecor.exe	33
PID 2928 wrote to memory of 3024	2928	omsecor.exe	33
PID 2928 wrote to memory of 3024	2928	omsecor.exe	33
PID 3024 wrote to memory of 3004	3024	omsecor.exe	34
PID 3024 wrote to memory of 3004	3024	omsecor.exe	34
PID 3024 wrote to memory of 3004	3024	omsecor.exe	34
PID 3024 wrote to memory of 3004	3024	omsecor.exe	34
PID 3024 wrote to memory of 3004	3024	omsecor.exe	34
PID 3024 wrote to memory of 3004	3024	omsecor.exe	34
PID 3004 wrote to memory of 2352	3004	omsecor.exe	35
PID 3004 wrote to memory of 2352	3004	omsecor.exe	35
PID 3004 wrote to memory of 2352	3004	omsecor.exe	35
PID 3004 wrote to memory of 2352	3004	omsecor.exe	35
PID 2352 wrote to memory of 2064	2352	omsecor.exe	36
PID 2352 wrote to memory of 2064	2352	omsecor.exe	36
PID 2352 wrote to memory of 2064	2352	omsecor.exe	36
PID 2352 wrote to memory of 2064	2352	omsecor.exe	36
PID 2352 wrote to memory of 2064	2352	omsecor.exe	36
PID 2352 wrote to memory of 2064	2352	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
"C:\Users\Admin\AppData\Local\Temp\c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
  C:\Users\Admin\AppData\Local\Temp\c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b01974f0709b53a01e01752bc9690222

SHA1
afa84cf60302b6b4ac234cc312ec8e277359dc34

SHA256
8fc449194d40631141a4b20afb1c31ba517f1ceb036c0fb406293ca9344fe041

SHA512
e2390579469d390203c3e7cbf9100508f731adc2c42566914fe88c9ca10ba933c034a253f80dd5ff7e42a4a1ed6f8a9c2d4b8b822b6880498be576604cd58e81

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
11f494223ad31b8272acd9d019838774

SHA1
f6c25505bb80fa68195e1e00cca5b8ebc065845f

SHA256
14554e5926f4cd32b000277b60d740bd1993fdcee08696293df88cfb15a9a527

SHA512
479b7ecf716239d98ac2901edfd4425437bd9d75aeb13e210579ba1fb4039c3c9c0d5929d7651f306a592001d599b1190750735113856037ea3adb4ad9154a1b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
36289f1131c98000634c94116b97d6b2

SHA1
97162d00eda8deac7ce9af286e92df2a50cdb6ec

SHA256
3af82802c18f8789a1ab5f22ccfb211bd864b6364d46226c3f0bcde331737027

SHA512
3135653f5e670099d4d99a10eccef90ed32b55d1f9e75a52ba9afb57961a7b75648c5671a97b48a635e7d79b86c130ce583f6b0d5d3929893efca7b165502da2

Download Submit
memory/1428-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1428-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1428-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1428-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1428-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1428-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1656-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1656-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2064-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2352-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2756-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2756-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2756-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2928-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-48-0x0000000000390000-0x00000000003B3000-memory.dmp

Filesize
140KB

Download
memory/2928-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3004-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/3024-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download