neconyd | e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/11/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
Size

96KB
MD5

2b32d2832eb8548a895dbc2601b8a466
SHA1

894ae484347b6df1d07e1c3811cde83308d08329
SHA256

e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3
SHA512

f64a78d79f22d9f0c1550363777084537275dd351f33d2c272791b8ac1a43e92c57fdb104fa8131d134fec4bf6bd14e8fcbc51dfe00c1a9ccdb3d45b71041bef
SSDEEP

1536:0nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxh:0Gs8cd8eXlYairZYqMddH13h

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2264	omsecor.exe
2404	omsecor.exe
2876	omsecor.exe
2584	omsecor.exe
2036	omsecor.exe
1764	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1992	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
1992	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
2264	omsecor.exe
2404	omsecor.exe
2404	omsecor.exe
2584	omsecor.exe
2584	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 1992	2156	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2264 set thread context of 2404	2264	omsecor.exe	32
PID 2876 set thread context of 2584	2876	omsecor.exe	36
PID 2036 set thread context of 1764	2036	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1992	2156	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2156 wrote to memory of 1992	2156	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2156 wrote to memory of 1992	2156	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2156 wrote to memory of 1992	2156	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2156 wrote to memory of 1992	2156	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 2156 wrote to memory of 1992	2156	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	30
PID 1992 wrote to memory of 2264	1992	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	31
PID 1992 wrote to memory of 2264	1992	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	31
PID 1992 wrote to memory of 2264	1992	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	31
PID 1992 wrote to memory of 2264	1992	e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe	31
PID 2264 wrote to memory of 2404	2264	omsecor.exe	32
PID 2264 wrote to memory of 2404	2264	omsecor.exe	32
PID 2264 wrote to memory of 2404	2264	omsecor.exe	32
PID 2264 wrote to memory of 2404	2264	omsecor.exe	32
PID 2264 wrote to memory of 2404	2264	omsecor.exe	32
PID 2264 wrote to memory of 2404	2264	omsecor.exe	32
PID 2404 wrote to memory of 2876	2404	omsecor.exe	35
PID 2404 wrote to memory of 2876	2404	omsecor.exe	35
PID 2404 wrote to memory of 2876	2404	omsecor.exe	35
PID 2404 wrote to memory of 2876	2404	omsecor.exe	35
PID 2876 wrote to memory of 2584	2876	omsecor.exe	36
PID 2876 wrote to memory of 2584	2876	omsecor.exe	36
PID 2876 wrote to memory of 2584	2876	omsecor.exe	36
PID 2876 wrote to memory of 2584	2876	omsecor.exe	36
PID 2876 wrote to memory of 2584	2876	omsecor.exe	36
PID 2876 wrote to memory of 2584	2876	omsecor.exe	36
PID 2584 wrote to memory of 2036	2584	omsecor.exe	37
PID 2584 wrote to memory of 2036	2584	omsecor.exe	37
PID 2584 wrote to memory of 2036	2584	omsecor.exe	37
PID 2584 wrote to memory of 2036	2584	omsecor.exe	37
PID 2036 wrote to memory of 1764	2036	omsecor.exe	38
PID 2036 wrote to memory of 1764	2036	omsecor.exe	38
PID 2036 wrote to memory of 1764	2036	omsecor.exe	38
PID 2036 wrote to memory of 1764	2036	omsecor.exe	38
PID 2036 wrote to memory of 1764	2036	omsecor.exe	38
PID 2036 wrote to memory of 1764	2036	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
"C:\Users\Admin\AppData\Local\Temp\e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
  C:\Users\Admin\AppData\Local\Temp\e38d5be26e5e28d04d78b42898a881c2c38c7c3d3364a9bc0214ab62f6e0e8f3.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d48ed081dee2cb716a1daf825a1f6dd8

SHA1
8eedb531d719d8fb54478d7692b1fd707fe34074

SHA256
ce1052dbd9a40d7a4011189b9a8a4aa7c98fdefa587c2177f80ad865318778c9

SHA512
d40fbba8695e97f583ac6f3a4be991029d8c529cd24c8852504f315c6f2b78fd6a03bd7cb8bf895a997d2aa1e801d4d3e32827df7bc00d78d434f2671d1ad58b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
2c5fb50480c99d74c733a81b0eb938f0

SHA1
9cde90563a960086839618474dac7d2676d3865e

SHA256
1985c279e9fe276523b149c7372adecd0964ad9b4659d0ea6797161d0187a07b

SHA512
c4b1734d6b070c162fb8076e3767283eae3f096d5eeb91ef6a3030947e62a9e7c1f6a18327b00b6c9ed703f4a55e7bff2e899282aa4adf2c5c2df157160288fa

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
64c431140e57beb1136377f45f844d32

SHA1
a6069ad5f3e8b44ad2340df0480be00680c1b254

SHA256
928fcbec57ba02c22d19b4eaae545cb58b509c46ebc893b463ff30b6247fac2b

SHA512
655fa8291dade8fdfa86509e5006c690bc5bb7ef599619a106b375bd42429bfd2d5eca48e7da98928e80beafb225fedd1dfcf7887c6802ae5d68b4ed1ae8e90d

Download Submit
memory/1764-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1764-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2036-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2156-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2156-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2264-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2264-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2264-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2404-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-47-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2404-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2876-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download