neconyd | ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe
Size

96KB
MD5

213802d4c490fe65e042f0c4061f8e1b
SHA1

46675495a4e630675ebf08b20d0b1fa2c7be3d0a
SHA256

ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c
SHA512

263f46e4edc98666b8f2ff972e216d778c395bfa2eb82ec2974bccb293515ea2f66a2cd1c54d4fd4f9b31564471eb22eb495a4125b92b5598583e1d1c0c83422
SSDEEP

1536:0nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:0Gs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2092	omsecor.exe
2844	omsecor.exe
732	omsecor.exe
760	omsecor.exe
2632	omsecor.exe
2440	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3068	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe
3068	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe
2092	omsecor.exe
2844	omsecor.exe
2844	omsecor.exe
760	omsecor.exe
760	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3004 set thread context of 3068	3004	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe	30
PID 2092 set thread context of 2844	2092	omsecor.exe	32
PID 732 set thread context of 760	732	omsecor.exe	36
PID 2632 set thread context of 2440	2632	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 3068	3004	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe	30
PID 3004 wrote to memory of 3068	3004	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe	30
PID 3004 wrote to memory of 3068	3004	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe	30
PID 3004 wrote to memory of 3068	3004	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe	30
PID 3004 wrote to memory of 3068	3004	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe	30
PID 3004 wrote to memory of 3068	3004	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe	30
PID 3068 wrote to memory of 2092	3068	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe	31
PID 3068 wrote to memory of 2092	3068	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe	31
PID 3068 wrote to memory of 2092	3068	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe	31
PID 3068 wrote to memory of 2092	3068	ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe	31
PID 2092 wrote to memory of 2844	2092	omsecor.exe	32
PID 2092 wrote to memory of 2844	2092	omsecor.exe	32
PID 2092 wrote to memory of 2844	2092	omsecor.exe	32
PID 2092 wrote to memory of 2844	2092	omsecor.exe	32
PID 2092 wrote to memory of 2844	2092	omsecor.exe	32
PID 2092 wrote to memory of 2844	2092	omsecor.exe	32
PID 2844 wrote to memory of 732	2844	omsecor.exe	35
PID 2844 wrote to memory of 732	2844	omsecor.exe	35
PID 2844 wrote to memory of 732	2844	omsecor.exe	35
PID 2844 wrote to memory of 732	2844	omsecor.exe	35
PID 732 wrote to memory of 760	732	omsecor.exe	36
PID 732 wrote to memory of 760	732	omsecor.exe	36
PID 732 wrote to memory of 760	732	omsecor.exe	36
PID 732 wrote to memory of 760	732	omsecor.exe	36
PID 732 wrote to memory of 760	732	omsecor.exe	36
PID 732 wrote to memory of 760	732	omsecor.exe	36
PID 760 wrote to memory of 2632	760	omsecor.exe	37
PID 760 wrote to memory of 2632	760	omsecor.exe	37
PID 760 wrote to memory of 2632	760	omsecor.exe	37
PID 760 wrote to memory of 2632	760	omsecor.exe	37
PID 2632 wrote to memory of 2440	2632	omsecor.exe	38
PID 2632 wrote to memory of 2440	2632	omsecor.exe	38
PID 2632 wrote to memory of 2440	2632	omsecor.exe	38
PID 2632 wrote to memory of 2440	2632	omsecor.exe	38
PID 2632 wrote to memory of 2440	2632	omsecor.exe	38
PID 2632 wrote to memory of 2440	2632	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe
"C:\Users\Admin\AppData\Local\Temp\ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe
  C:\Users\Admin\AppData\Local\Temp\ed32ab03e84d733dfce6abd10965a0078ce51e508e4fad93ff2b4d7b6dd6fb2c.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:732
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
edb885af998186f010905e92d6f4af57

SHA1
1d514ff96cf439007d567c243db9c02e76bde2e9

SHA256
5b3df55916cf6532828a0b1765f6a985e20b9b01fc678ed094c907454ecdaf1f

SHA512
dd9ced3d6907305118d0c1f432e946bbda52c3cc214f2e1ddade968c940b9ab5ba8a37046e320cbf2b41f3196c368940f76e0f90df4016dcb35a5b1d0ffdf138

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c4f437113684555e3471334b3cbf9391

SHA1
414d3301d5fe329dc186fa84306543d9768f82ee

SHA256
875d5e6cead7354deab7c9d860a3b79cde5c6e102d3bc10921b3a9b5f1da6d4d

SHA512
4247f484eafe512a4936b33ccd51bd421f1dbdac78708bafb41ec40e44839760429513fe4791058069918947ab26e2c1241a7adae6366abbd4735583f597b346

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e6c8f9dc8fce7035797e77985998f631

SHA1
c49acd25c30efa98479dc5bf8e9f49829748f5fa

SHA256
5cda8deabe1b224b4f8de1fd2dce9a2554a17f8916a3612159dac28a1df5ddae

SHA512
109a325a41b0a49fa5433a4938f65b834fc1046016bbe137a9731a28aca0be45c9e2779c2dd0d8e91dc30908af70b146d3c1b3de09c49cf2866a2bf49015993b

Download Submit
memory/732-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/732-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/760-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2092-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2092-24-0x0000000000270000-0x0000000000293000-memory.dmp

Filesize
140KB

Download
memory/2092-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2440-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2632-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2632-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2844-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2844-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2844-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2844-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2844-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3004-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3004-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3068-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3068-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download