neconyd | e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/11/2024, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
Size

96KB
MD5

2b32d2832eb8548a895dbc2601b8a466
SHA1

894ae484347b6df1d07e1c3811cde83308d08329
SHA256

e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3
SHA512

f64a78d79f22d9f0c1550363777084537275dd351f33d2c272791b8ac1a43e92c57fdb104fa8131d134fec4bf6bd14e8fcbc51dfe00c1a9ccdb3d45b71041bef
SSDEEP

1536:0nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxh:0Gs8cd8eXlYairZYqMddH13h

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3000	omsecor.exe
2352	omsecor.exe
1892	omsecor.exe
1656	omsecor.exe
1352	omsecor.exe
2172	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2264	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
2264	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
3000	omsecor.exe
2352	omsecor.exe
2352	omsecor.exe
1656	omsecor.exe
1656	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2516 set thread context of 2264	2516	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 3000 set thread context of 2352	3000	omsecor.exe	32
PID 1892 set thread context of 1656	1892	omsecor.exe	36
PID 1352 set thread context of 2172	1352	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2264	2516	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2516 wrote to memory of 2264	2516	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2516 wrote to memory of 2264	2516	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2516 wrote to memory of 2264	2516	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2516 wrote to memory of 2264	2516	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2516 wrote to memory of 2264	2516	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2264 wrote to memory of 3000	2264	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	31
PID 2264 wrote to memory of 3000	2264	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	31
PID 2264 wrote to memory of 3000	2264	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	31
PID 2264 wrote to memory of 3000	2264	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	31
PID 3000 wrote to memory of 2352	3000	omsecor.exe	32
PID 3000 wrote to memory of 2352	3000	omsecor.exe	32
PID 3000 wrote to memory of 2352	3000	omsecor.exe	32
PID 3000 wrote to memory of 2352	3000	omsecor.exe	32
PID 3000 wrote to memory of 2352	3000	omsecor.exe	32
PID 3000 wrote to memory of 2352	3000	omsecor.exe	32
PID 2352 wrote to memory of 1892	2352	omsecor.exe	35
PID 2352 wrote to memory of 1892	2352	omsecor.exe	35
PID 2352 wrote to memory of 1892	2352	omsecor.exe	35
PID 2352 wrote to memory of 1892	2352	omsecor.exe	35
PID 1892 wrote to memory of 1656	1892	omsecor.exe	36
PID 1892 wrote to memory of 1656	1892	omsecor.exe	36
PID 1892 wrote to memory of 1656	1892	omsecor.exe	36
PID 1892 wrote to memory of 1656	1892	omsecor.exe	36
PID 1892 wrote to memory of 1656	1892	omsecor.exe	36
PID 1892 wrote to memory of 1656	1892	omsecor.exe	36
PID 1656 wrote to memory of 1352	1656	omsecor.exe	37
PID 1656 wrote to memory of 1352	1656	omsecor.exe	37
PID 1656 wrote to memory of 1352	1656	omsecor.exe	37
PID 1656 wrote to memory of 1352	1656	omsecor.exe	37
PID 1352 wrote to memory of 2172	1352	omsecor.exe	38
PID 1352 wrote to memory of 2172	1352	omsecor.exe	38
PID 1352 wrote to memory of 2172	1352	omsecor.exe	38
PID 1352 wrote to memory of 2172	1352	omsecor.exe	38
PID 1352 wrote to memory of 2172	1352	omsecor.exe	38
PID 1352 wrote to memory of 2172	1352	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
"C:\Users\Admin\AppData\Local\Temp\e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
  C:\Users\Admin\AppData\Local\Temp\e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d48ed081dee2cb716a1daf825a1f6dd8

SHA1
8eedb531d719d8fb54478d7692b1fd707fe34074

SHA256
ce1052dbd9a40d7a4011189b9a8a4aa7c98fdefa587c2177f80ad865318778c9

SHA512
d40fbba8695e97f583ac6f3a4be991029d8c529cd24c8852504f315c6f2b78fd6a03bd7cb8bf895a997d2aa1e801d4d3e32827df7bc00d78d434f2671d1ad58b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b54af3d14baca8a4104e54d7d23b7a94

SHA1
993695c103b06f4634e24847fd6c206fdc69922a

SHA256
0f115b4eab572a01f45316a7b66666e6b32e87d683ce994246a1faa65c584194

SHA512
f819c9d86aba63b1df6da5efb9c316fdbfa06dde19e2e181d5e113b1edf6bae3fd61d0a5f42ddcfb7b17b579848a9fdf85ac9244b6201d88709eac7fef59985f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
7899fb77a9f46fac09e54abba10a3ace

SHA1
853d92f5cf096440832eb40d520b8e17aa3a343a

SHA256
0a2813f9fb70905f2c86ca3c141da54acbe27cc3a3e74172e97960bdf0d0deaa

SHA512
ec66548b44bef0fe81ac2773e999a1acdde48dc1cafeeb2a6000628cb80220d4606af158aef15acb4c274c9ce651ee9364dc7497de30cd950e70021b89881185

Download Submit
memory/1352-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1352-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1892-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1892-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2172-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2264-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2264-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2264-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2264-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2264-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2264-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-48-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2352-54-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2352-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2516-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2516-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download