neconyd | ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25/11/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe
Size

96KB
MD5

e1f66fe4e95dcb06c146f74a6a25eafe
SHA1

7682056101ca27bc02c03244bd9538b6d1962445
SHA256

ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214
SHA512

dfb72174ba98ff8a94fa7c8776a3f6634125f5456a154dda2ba09290840787b5fafb470d263d66d6d0060f6516680fd86d36275000292b473fb8c83d5bc02d47
SSDEEP

1536:anAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:aGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1960	omsecor.exe
2428	omsecor.exe
1588	omsecor.exe
2092	omsecor.exe
2020	omsecor.exe
3036	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2416	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe
2416	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe
1960	omsecor.exe
2428	omsecor.exe
2428	omsecor.exe
2092	omsecor.exe
2092	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2064 set thread context of 2416	2064	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe	30
PID 1960 set thread context of 2428	1960	omsecor.exe	32
PID 1588 set thread context of 2092	1588	omsecor.exe	36
PID 2020 set thread context of 3036	2020	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2416	2064	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe	30
PID 2064 wrote to memory of 2416	2064	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe	30
PID 2064 wrote to memory of 2416	2064	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe	30
PID 2064 wrote to memory of 2416	2064	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe	30
PID 2064 wrote to memory of 2416	2064	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe	30
PID 2064 wrote to memory of 2416	2064	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe	30
PID 2416 wrote to memory of 1960	2416	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe	31
PID 2416 wrote to memory of 1960	2416	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe	31
PID 2416 wrote to memory of 1960	2416	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe	31
PID 2416 wrote to memory of 1960	2416	ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe	31
PID 1960 wrote to memory of 2428	1960	omsecor.exe	32
PID 1960 wrote to memory of 2428	1960	omsecor.exe	32
PID 1960 wrote to memory of 2428	1960	omsecor.exe	32
PID 1960 wrote to memory of 2428	1960	omsecor.exe	32
PID 1960 wrote to memory of 2428	1960	omsecor.exe	32
PID 1960 wrote to memory of 2428	1960	omsecor.exe	32
PID 2428 wrote to memory of 1588	2428	omsecor.exe	35
PID 2428 wrote to memory of 1588	2428	omsecor.exe	35
PID 2428 wrote to memory of 1588	2428	omsecor.exe	35
PID 2428 wrote to memory of 1588	2428	omsecor.exe	35
PID 1588 wrote to memory of 2092	1588	omsecor.exe	36
PID 1588 wrote to memory of 2092	1588	omsecor.exe	36
PID 1588 wrote to memory of 2092	1588	omsecor.exe	36
PID 1588 wrote to memory of 2092	1588	omsecor.exe	36
PID 1588 wrote to memory of 2092	1588	omsecor.exe	36
PID 1588 wrote to memory of 2092	1588	omsecor.exe	36
PID 2092 wrote to memory of 2020	2092	omsecor.exe	37
PID 2092 wrote to memory of 2020	2092	omsecor.exe	37
PID 2092 wrote to memory of 2020	2092	omsecor.exe	37
PID 2092 wrote to memory of 2020	2092	omsecor.exe	37
PID 2020 wrote to memory of 3036	2020	omsecor.exe	38
PID 2020 wrote to memory of 3036	2020	omsecor.exe	38
PID 2020 wrote to memory of 3036	2020	omsecor.exe	38
PID 2020 wrote to memory of 3036	2020	omsecor.exe	38
PID 2020 wrote to memory of 3036	2020	omsecor.exe	38
PID 2020 wrote to memory of 3036	2020	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe
"C:\Users\Admin\AppData\Local\Temp\ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe
  C:\Users\Admin\AppData\Local\Temp\ab07b39bb758ff9db2d49c624c892aa66675d2026f131a8225885db7746b5214.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
865212ae21d311c4b40d6dd7b28d07dc

SHA1
8f10abcfca87fb563e8c78197503c894858e868f

SHA256
2e7125c81ada96eef30b466b2d9353c076d735a39aa98e719f00de89e2021cc7

SHA512
6a798c5de4d4968249580cff6cb47598bf8fae5b65ba15e4031d6746f9a450c13dee931e2ea4e3360ac6999b98b0d5fb58f03ef33ffaa3c864b570c23f90f99c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
afef6dad01a7f029a09c2f840ba06f76

SHA1
17b07d3f76045cb5872255c821571c8aa70da9ec

SHA256
717acc3278544935060a12d9ff9db249a87affc7f88a7d3c4efe3bb536a7b397

SHA512
cd7166dac054299dc728dfde94a82eb43bc08fe2ae74144e0faca2ae352f2c908dc7e4d95f18225f74922e228648bb0fa30d35957f7868ecd8455d7d6223b835

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
7384059b027c5464116a44006478fa04

SHA1
2e0ff1b65a7eba05ce645d894586bf677242873d

SHA256
7429eebed08123823e552022d930f6f779eb69f5b3853776b348a8f1df66fd98

SHA512
a2179abcc4ad7d836816edf09fdaabd5097efb6893628ed92dfb27b3b9d5fc280e8c7a827e0620beeeea974065cc3bd4a78e388b279428387b8b170368fa96f8

Download Submit
memory/1588-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1588-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1960-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1960-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2020-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2020-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-1-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2064-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2092-72-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2416-15-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2416-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-48-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/2428-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download