neconyd | 794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89

Analysis

max time kernel
115s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/11/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe
Size

96KB
MD5

0249e3dd89f68358a93601b139fab1ce
SHA1

cd2de26853cbb87cad8f4d72233e9e86af263d13
SHA256

794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89
SHA512

8f2bae5839a88239a82e879c1319a5d6abf3bbb4222c7d6e05fb64a138c5236ced543c2d484109213571ace023acf7a781679c0ce70f111f40cd791dd1a11833
SSDEEP

1536:YnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:YGs8cd8eXlYairZYqMddH13R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2212	omsecor.exe
2628	omsecor.exe
848	omsecor.exe
2612	omsecor.exe
1476	omsecor.exe
2288	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2308	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe
2308	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe
2212	omsecor.exe
2628	omsecor.exe
2628	omsecor.exe
2612	omsecor.exe
2612	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 2308	2060	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe	31
PID 2212 set thread context of 2628	2212	omsecor.exe	33
PID 848 set thread context of 2612	848	omsecor.exe	37
PID 1476 set thread context of 2288	1476	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2308	2060	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe	31
PID 2060 wrote to memory of 2308	2060	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe	31
PID 2060 wrote to memory of 2308	2060	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe	31
PID 2060 wrote to memory of 2308	2060	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe	31
PID 2060 wrote to memory of 2308	2060	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe	31
PID 2060 wrote to memory of 2308	2060	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe	31
PID 2308 wrote to memory of 2212	2308	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe	32
PID 2308 wrote to memory of 2212	2308	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe	32
PID 2308 wrote to memory of 2212	2308	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe	32
PID 2308 wrote to memory of 2212	2308	794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe	32
PID 2212 wrote to memory of 2628	2212	omsecor.exe	33
PID 2212 wrote to memory of 2628	2212	omsecor.exe	33
PID 2212 wrote to memory of 2628	2212	omsecor.exe	33
PID 2212 wrote to memory of 2628	2212	omsecor.exe	33
PID 2212 wrote to memory of 2628	2212	omsecor.exe	33
PID 2212 wrote to memory of 2628	2212	omsecor.exe	33
PID 2628 wrote to memory of 848	2628	omsecor.exe	36
PID 2628 wrote to memory of 848	2628	omsecor.exe	36
PID 2628 wrote to memory of 848	2628	omsecor.exe	36
PID 2628 wrote to memory of 848	2628	omsecor.exe	36
PID 848 wrote to memory of 2612	848	omsecor.exe	37
PID 848 wrote to memory of 2612	848	omsecor.exe	37
PID 848 wrote to memory of 2612	848	omsecor.exe	37
PID 848 wrote to memory of 2612	848	omsecor.exe	37
PID 848 wrote to memory of 2612	848	omsecor.exe	37
PID 848 wrote to memory of 2612	848	omsecor.exe	37
PID 2612 wrote to memory of 1476	2612	omsecor.exe	38
PID 2612 wrote to memory of 1476	2612	omsecor.exe	38
PID 2612 wrote to memory of 1476	2612	omsecor.exe	38
PID 2612 wrote to memory of 1476	2612	omsecor.exe	38
PID 1476 wrote to memory of 2288	1476	omsecor.exe	39
PID 1476 wrote to memory of 2288	1476	omsecor.exe	39
PID 1476 wrote to memory of 2288	1476	omsecor.exe	39
PID 1476 wrote to memory of 2288	1476	omsecor.exe	39
PID 1476 wrote to memory of 2288	1476	omsecor.exe	39
PID 1476 wrote to memory of 2288	1476	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe
"C:\Users\Admin\AppData\Local\Temp\794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe
  C:\Users\Admin\AppData\Local\Temp\794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:848
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c87554b4d16b4d9c6b7e9cc99a82290d

SHA1
16d875aba79925654781c57c77c439a31b3962d0

SHA256
fb0af20192bd74ce698078ec23ef8c0ea98b72c569ca7d23f4604ded45b3c6ad

SHA512
c66900a276537958cd5d1c8becd098be0b350538271e89a02815b8722bd6694ae3610ae7e322e399cdefec2f9d5a05a8bbe9906c06cffcce1a3f93efa30accb7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
11013561effc70977d4d942b56d13711

SHA1
163c8a822cddf2174bb9fd682e020d9ea054dbb4

SHA256
f1bdf162e73c27b265f26524aac2e5353c4342765337e19daa89e1984f6e07b8

SHA512
5c14d6a115ca8abe7814f07ccb8cef224e0dd40f8dd7f0e333ef73ee2678d487d1e8d1e4a84aced62103790a254918ef5a723abbc06445aa3adeebe3d1c1a357

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b89265c722ccc67f27db95a6bfbaafe9

SHA1
d4e4ded82cd3848545c1895165b25441184968a7

SHA256
114f7f1bd3c8ad926170a66b8298bf46005c8b95915cdee71dfbe926b9dcd79a

SHA512
d15425d5af9ca89a690527ebb4d8be45774403c54a9e947aec51dd34e98f2537d5e6be0b53fae098d934aae8a260fca39eb496defd4c03574dac486353ae2ffc

Download Submit
memory/848-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/848-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1476-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-6-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2212-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2212-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2288-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-15-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2308-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2308-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-72-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2628-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-49-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2628-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download