neconyd | ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424

Analysis

max time kernel
116s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/11/2024, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe
Size

96KB
MD5

04563d75fcecf3eae1cc9006ac989ae0
SHA1

530f41c66f2c034780188d32d1caccfaa73613e3
SHA256

ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424
SHA512

156d89ff1ac103cc7294223d4dc23a44ac2c192990c36be7de47e75304376078903f7cd569d2f1d95af184a82a1e287258ce8133b78c9b193bfd0d8506635cbc
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:QGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
756	omsecor.exe
1056	omsecor.exe
2092	omsecor.exe
2820	omsecor.exe
2268	omsecor.exe
2304	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2556	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe
2556	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe
1056	omsecor.exe
1056	omsecor.exe
2820	omsecor.exe
2820	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 2556	2116	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe	30
PID 756 set thread context of 1056	756	omsecor.exe	32
PID 2092 set thread context of 2820	2092	omsecor.exe	35
PID 2268 set thread context of 2304	2268	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2556	2116	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe	30
PID 2116 wrote to memory of 2556	2116	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe	30
PID 2116 wrote to memory of 2556	2116	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe	30
PID 2116 wrote to memory of 2556	2116	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe	30
PID 2116 wrote to memory of 2556	2116	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe	30
PID 2116 wrote to memory of 2556	2116	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe	30
PID 2556 wrote to memory of 756	2556	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe	31
PID 2556 wrote to memory of 756	2556	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe	31
PID 2556 wrote to memory of 756	2556	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe	31
PID 2556 wrote to memory of 756	2556	ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe	31
PID 756 wrote to memory of 1056	756	omsecor.exe	32
PID 756 wrote to memory of 1056	756	omsecor.exe	32
PID 756 wrote to memory of 1056	756	omsecor.exe	32
PID 756 wrote to memory of 1056	756	omsecor.exe	32
PID 756 wrote to memory of 1056	756	omsecor.exe	32
PID 756 wrote to memory of 1056	756	omsecor.exe	32
PID 1056 wrote to memory of 2092	1056	omsecor.exe	34
PID 1056 wrote to memory of 2092	1056	omsecor.exe	34
PID 1056 wrote to memory of 2092	1056	omsecor.exe	34
PID 1056 wrote to memory of 2092	1056	omsecor.exe	34
PID 2092 wrote to memory of 2820	2092	omsecor.exe	35
PID 2092 wrote to memory of 2820	2092	omsecor.exe	35
PID 2092 wrote to memory of 2820	2092	omsecor.exe	35
PID 2092 wrote to memory of 2820	2092	omsecor.exe	35
PID 2092 wrote to memory of 2820	2092	omsecor.exe	35
PID 2092 wrote to memory of 2820	2092	omsecor.exe	35
PID 2820 wrote to memory of 2268	2820	omsecor.exe	36
PID 2820 wrote to memory of 2268	2820	omsecor.exe	36
PID 2820 wrote to memory of 2268	2820	omsecor.exe	36
PID 2820 wrote to memory of 2268	2820	omsecor.exe	36
PID 2268 wrote to memory of 2304	2268	omsecor.exe	37
PID 2268 wrote to memory of 2304	2268	omsecor.exe	37
PID 2268 wrote to memory of 2304	2268	omsecor.exe	37
PID 2268 wrote to memory of 2304	2268	omsecor.exe	37
PID 2268 wrote to memory of 2304	2268	omsecor.exe	37
PID 2268 wrote to memory of 2304	2268	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe
"C:\Users\Admin\AppData\Local\Temp\ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe
  C:\Users\Admin\AppData\Local\Temp\ef876d4528e399a528fdbf22eeeb581e49d65a113bb945b15cea48da574fd424N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5d8468556ee467b3e085e9d7b333ef4a

SHA1
49de9504ce0911aa2341d9bc38f55d6a4352e191

SHA256
19dbe6824febf0a09bae240ec0a143903297ba7157ef31af3d3d713266f0f66e

SHA512
a5a71218bc75a4419e8ba6cacef7d812564e0fb4af0126158fc7f80a5f377f8cc570be88a04b0dc77ebd038badfe61fb736e11e4e854b82fc24ba3a7fe788852

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
bdbae2bcf91c763704a6d2b38388f093

SHA1
ec7c1ef6ca345d2bdf439fdd870f2688ca5abb66

SHA256
118eaa015604e65e959dc99650cb9142dbc63a3f04dba7b02f17ac880c02343e

SHA512
41bd918a2b8357adbc5c8b0eb868efd3e520bb129f0d2f81ee426349dd6d6977564f89266ccdbb928f724da27c8215636b2e2340cc6b11cafa86217516d1c36e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
4cc9236a091d764605f1b51b483374c7

SHA1
9e7ae319f50884728e912cb3bb9b1079ac4600eb

SHA256
a34eb3aeeb7a38e2da64287347794fda16c568d14e57e3b1eb61455f3e0d20c4

SHA512
b48fdda057fd28d4a6affdcbe0ae81c4a948515754a48a1174d007fc77bbfd5d1c47cc431550eb250a742860a3bcd2b75b085e306e71f5236fe3444f0d2dbde5

Download Submit
memory/756-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/756-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1056-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1056-88-0x00000000023A0000-0x00000000023C3000-memory.dmp

Filesize
140KB

Download
memory/1056-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1056-54-0x00000000023A0000-0x00000000023C3000-memory.dmp

Filesize
140KB

Download
memory/1056-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1056-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1056-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2092-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2092-55-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2116-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2116-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2268-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2268-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2304-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2556-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2820-70-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download