neconyd | c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/11/2024, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe
Size

96KB
MD5

684db03460fec07bb52d45ddbe88ef7f
SHA1

eed150848deec74fbc51e317f93689d725a4ccca
SHA256

c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3
SHA512

fa2fe46f79d5aa2e28f1f914e5bc2cac16e4e4a0549cb6bb54c4d630b71dd85eb6873d405e8372d216ded2702c2e34e56b312d6ae118b7227027730ce6f0b800
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:QGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2536	omsecor.exe
2652	omsecor.exe
1548	omsecor.exe
1036	omsecor.exe
1848	omsecor.exe
2216	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2332	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe
2332	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe
2536	omsecor.exe
2652	omsecor.exe
2652	omsecor.exe
1036	omsecor.exe
1036	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 2332	1752	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe	31
PID 2536 set thread context of 2652	2536	omsecor.exe	33
PID 1548 set thread context of 1036	1548	omsecor.exe	37
PID 1848 set thread context of 2216	1848	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2332	1752	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe	31
PID 1752 wrote to memory of 2332	1752	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe	31
PID 1752 wrote to memory of 2332	1752	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe	31
PID 1752 wrote to memory of 2332	1752	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe	31
PID 1752 wrote to memory of 2332	1752	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe	31
PID 1752 wrote to memory of 2332	1752	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe	31
PID 2332 wrote to memory of 2536	2332	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe	32
PID 2332 wrote to memory of 2536	2332	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe	32
PID 2332 wrote to memory of 2536	2332	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe	32
PID 2332 wrote to memory of 2536	2332	c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe	32
PID 2536 wrote to memory of 2652	2536	omsecor.exe	33
PID 2536 wrote to memory of 2652	2536	omsecor.exe	33
PID 2536 wrote to memory of 2652	2536	omsecor.exe	33
PID 2536 wrote to memory of 2652	2536	omsecor.exe	33
PID 2536 wrote to memory of 2652	2536	omsecor.exe	33
PID 2536 wrote to memory of 2652	2536	omsecor.exe	33
PID 2652 wrote to memory of 1548	2652	omsecor.exe	36
PID 2652 wrote to memory of 1548	2652	omsecor.exe	36
PID 2652 wrote to memory of 1548	2652	omsecor.exe	36
PID 2652 wrote to memory of 1548	2652	omsecor.exe	36
PID 1548 wrote to memory of 1036	1548	omsecor.exe	37
PID 1548 wrote to memory of 1036	1548	omsecor.exe	37
PID 1548 wrote to memory of 1036	1548	omsecor.exe	37
PID 1548 wrote to memory of 1036	1548	omsecor.exe	37
PID 1548 wrote to memory of 1036	1548	omsecor.exe	37
PID 1548 wrote to memory of 1036	1548	omsecor.exe	37
PID 1036 wrote to memory of 1848	1036	omsecor.exe	38
PID 1036 wrote to memory of 1848	1036	omsecor.exe	38
PID 1036 wrote to memory of 1848	1036	omsecor.exe	38
PID 1036 wrote to memory of 1848	1036	omsecor.exe	38
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe
"C:\Users\Admin\AppData\Local\Temp\c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe
  C:\Users\Admin\AppData\Local\Temp\c4ccf306a2dc654513a81638eb1232c92a185a349064b7a6a6e9195eb70304b3.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7f723d8fdcac549cceb5f173703081ab

SHA1
c1288d001e11593683c8b28b0e730471fd022653

SHA256
f4cdeca0857efb5791ae20e55a8b57f8cb788b29201d806d6fa681c1334d410e

SHA512
1da676c8cdacb6c167a9c9f4d2ef80ba39277ba21cc945a642eb724a53da8fb359e41f895ffcc6c36ab99f6bde269a9c51f77c8e1a77eb80210cb23f3da157d3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b7aa0cc0e878cee92d2f5d2f04a67d29

SHA1
9450d9f8ce9d2716bdee9d6f52222be15c5d0750

SHA256
2b310f73a5fda805a07d406a28c97348b1ee3a73245d90a75aeb36a6283bc4a0

SHA512
4de87685e2902af8e141da4caf0d3ab1db4f58be0c133cd1ff9dfc2768eff3cbefbf09f8cf5b7621536a5d4d0ad2f0c97219245338c3616f3b1a0f9c3fba9eaf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
bda234e469e8c41433686af981c612de

SHA1
3de59824b10c5000ab284e0d69b2c24c85df745b

SHA256
b290c7c94a120dbe86ad2c825715d73edc476d5a8941261e503efa26c90f112c

SHA512
aaf743bb4ffdd996afbe493cf9b5e2618585198c133f2d8193f98b32587b31be09521981876cec4c523346c2526acc4a603357f2368955096cc22d37eb6c5735

Download Submit
memory/1036-91-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/1036-79-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/1548-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1752-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1752-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1848-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1848-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2216-95-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-13-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2536-25-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2536-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2536-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2652-49-0x0000000002390000-0x00000000023B3000-memory.dmp

Filesize
140KB

Download
memory/2652-56-0x0000000002390000-0x00000000023B3000-memory.dmp

Filesize
140KB

Download
memory/2652-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download