neconyd | c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/11/2024, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe
Size

96KB
MD5

b331a69f26466d0aa3c49f9cc46e3b2a
SHA1

dc228cdfab53f9d68316f692d9e1de2dc6ef6e3a
SHA256

c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f
SHA512

3ce01ff2d8eb2b0a0a24448d52710919edc65623a2ec08c347d9cb9232c6e16d169da4de6e71e19713e731b302e7b3f80642ec8b601104e392e12c682eff7a4f
SSDEEP

1536:XnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:XGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3032	omsecor.exe
2892	omsecor.exe
1192	omsecor.exe
2172	omsecor.exe
1364	omsecor.exe
2400	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2616	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe
2616	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe
3032	omsecor.exe
2892	omsecor.exe
2892	omsecor.exe
2172	omsecor.exe
2172	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1492 set thread context of 2616	1492	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe	29
PID 3032 set thread context of 2892	3032	omsecor.exe	31
PID 1192 set thread context of 2172	1192	omsecor.exe	34
PID 1364 set thread context of 2400	1364	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 2616	1492	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe	29
PID 1492 wrote to memory of 2616	1492	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe	29
PID 1492 wrote to memory of 2616	1492	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe	29
PID 1492 wrote to memory of 2616	1492	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe	29
PID 1492 wrote to memory of 2616	1492	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe	29
PID 1492 wrote to memory of 2616	1492	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe	29
PID 2616 wrote to memory of 3032	2616	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe	30
PID 2616 wrote to memory of 3032	2616	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe	30
PID 2616 wrote to memory of 3032	2616	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe	30
PID 2616 wrote to memory of 3032	2616	c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe	30
PID 3032 wrote to memory of 2892	3032	omsecor.exe	31
PID 3032 wrote to memory of 2892	3032	omsecor.exe	31
PID 3032 wrote to memory of 2892	3032	omsecor.exe	31
PID 3032 wrote to memory of 2892	3032	omsecor.exe	31
PID 3032 wrote to memory of 2892	3032	omsecor.exe	31
PID 3032 wrote to memory of 2892	3032	omsecor.exe	31
PID 2892 wrote to memory of 1192	2892	omsecor.exe	33
PID 2892 wrote to memory of 1192	2892	omsecor.exe	33
PID 2892 wrote to memory of 1192	2892	omsecor.exe	33
PID 2892 wrote to memory of 1192	2892	omsecor.exe	33
PID 1192 wrote to memory of 2172	1192	omsecor.exe	34
PID 1192 wrote to memory of 2172	1192	omsecor.exe	34
PID 1192 wrote to memory of 2172	1192	omsecor.exe	34
PID 1192 wrote to memory of 2172	1192	omsecor.exe	34
PID 1192 wrote to memory of 2172	1192	omsecor.exe	34
PID 1192 wrote to memory of 2172	1192	omsecor.exe	34
PID 2172 wrote to memory of 1364	2172	omsecor.exe	35
PID 2172 wrote to memory of 1364	2172	omsecor.exe	35
PID 2172 wrote to memory of 1364	2172	omsecor.exe	35
PID 2172 wrote to memory of 1364	2172	omsecor.exe	35
PID 1364 wrote to memory of 2400	1364	omsecor.exe	36
PID 1364 wrote to memory of 2400	1364	omsecor.exe	36
PID 1364 wrote to memory of 2400	1364	omsecor.exe	36
PID 1364 wrote to memory of 2400	1364	omsecor.exe	36
PID 1364 wrote to memory of 2400	1364	omsecor.exe	36
PID 1364 wrote to memory of 2400	1364	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe
"C:\Users\Admin\AppData\Local\Temp\c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe
  C:\Users\Admin\AppData\Local\Temp\c19c8da73fc72e9880756df959a15c966b5b3b5acb35d2e5194dd3682311847f.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9f2821312350658aeb3da58148d17c1d

SHA1
b39c9a286c3356cee9afadd4bc391b4f4409b581

SHA256
04ba972257b259369687c0e4ee751224b8c40ecbb27cfcff2d1b284e32e4f429

SHA512
11cf64897bef4830e51ab574525a975cf26a9ebb761ea4371e4873a5f342693fef4d28c96e878be527baaaf5685a78a8b786a39e51e6144d794b92edb46e9f09

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
79c543486d3ca507eed8e124a4734820

SHA1
c0f83087334de99816c92f47f70102f64245fb69

SHA256
2c2658dbf5d436fa48a49651dfb129016c2842b868ff42b500dad89120ddac97

SHA512
bd84ec4bcccb824baa21a6e74ac6e8a70d518d3c7866003b58a098beb82d9a6276062bddeb8b37ee5b707ac24a01403742240cdc37078ad9f49c75ac95ec9b25

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
400fde9eae3f10e76ca921c6668ee98a

SHA1
434c268e4ffa3b8b500da110c64f7df15aed8c13

SHA256
cf793f4fc1cb04e56e76fb0cda1133d190cd1e2a119071bbbf67b0d3853241ea

SHA512
ddbeb1df2ce0cfbcdd5ef03f18a962f37ebf341eaa8b04b7e46d0a0e79b0706f47c93559d8b64baa508bd03ba9ddca95c3dd6c0c87aae55be3e6ff605f16490c

Download Submit
memory/1192-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1192-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1364-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1364-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-7-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1492-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2400-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2400-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2616-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2616-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2616-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2616-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-48-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2892-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3032-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3032-25-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/3032-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download