neconyd | 869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe
Size

96KB
MD5

bc9ddeed73da5ffbb2dbed320facfc60
SHA1

b932015410eaa2c0688909091d6caa894d9dd07d
SHA256

869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2
SHA512

7cfab65c912f44018b4e88fc147cb5e6d03a69c4a5167de315503180a78726634713b6fd9a3a5e131663b4878770f547d90373cbd4609e399cabda04fbd29fba
SSDEEP

1536:knAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:kGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid	Process
1748	omsecor.exe
3000	omsecor.exe
1912	omsecor.exe
632	omsecor.exe
1944	omsecor.exe
1816	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exeomsecor.exeomsecor.exeomsecor.exe

pid	Process
2160	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe
2160	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe
1748	omsecor.exe
3000	omsecor.exe
3000	omsecor.exe
632	omsecor.exe
632	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	Process	procid_target
PID 2708 set thread context of 2160	2708	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe	30
PID 1748 set thread context of 3000	1748	omsecor.exe	32
PID 1912 set thread context of 632	1912	omsecor.exe	36
PID 1944 set thread context of 1816	1944	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

omsecor.exeomsecor.exe869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	Process	procid_target
PID 2708 wrote to memory of 2160	2708	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe	30
PID 2708 wrote to memory of 2160	2708	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe	30
PID 2708 wrote to memory of 2160	2708	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe	30
PID 2708 wrote to memory of 2160	2708	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe	30
PID 2708 wrote to memory of 2160	2708	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe	30
PID 2708 wrote to memory of 2160	2708	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe	30
PID 2160 wrote to memory of 1748	2160	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe	31
PID 2160 wrote to memory of 1748	2160	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe	31
PID 2160 wrote to memory of 1748	2160	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe	31
PID 2160 wrote to memory of 1748	2160	869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe	31
PID 1748 wrote to memory of 3000	1748	omsecor.exe	32
PID 1748 wrote to memory of 3000	1748	omsecor.exe	32
PID 1748 wrote to memory of 3000	1748	omsecor.exe	32
PID 1748 wrote to memory of 3000	1748	omsecor.exe	32
PID 1748 wrote to memory of 3000	1748	omsecor.exe	32
PID 1748 wrote to memory of 3000	1748	omsecor.exe	32
PID 3000 wrote to memory of 1912	3000	omsecor.exe	35
PID 3000 wrote to memory of 1912	3000	omsecor.exe	35
PID 3000 wrote to memory of 1912	3000	omsecor.exe	35
PID 3000 wrote to memory of 1912	3000	omsecor.exe	35
PID 1912 wrote to memory of 632	1912	omsecor.exe	36
PID 1912 wrote to memory of 632	1912	omsecor.exe	36
PID 1912 wrote to memory of 632	1912	omsecor.exe	36
PID 1912 wrote to memory of 632	1912	omsecor.exe	36
PID 1912 wrote to memory of 632	1912	omsecor.exe	36
PID 1912 wrote to memory of 632	1912	omsecor.exe	36
PID 632 wrote to memory of 1944	632	omsecor.exe	37
PID 632 wrote to memory of 1944	632	omsecor.exe	37
PID 632 wrote to memory of 1944	632	omsecor.exe	37
PID 632 wrote to memory of 1944	632	omsecor.exe	37
PID 1944 wrote to memory of 1816	1944	omsecor.exe	38
PID 1944 wrote to memory of 1816	1944	omsecor.exe	38
PID 1944 wrote to memory of 1816	1944	omsecor.exe	38
PID 1944 wrote to memory of 1816	1944	omsecor.exe	38
PID 1944 wrote to memory of 1816	1944	omsecor.exe	38
PID 1944 wrote to memory of 1816	1944	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe
"C:\Users\Admin\AppData\Local\Temp\869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe
  C:\Users\Admin\AppData\Local\Temp\869edb9e93d628a4e6b9f9eb6498eea072459c1f1c61af4d322dd747d64de3b2N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d8a2e57b7aec100f2f52ff3393b79de1

SHA1
fb4fa397acbcb5b1a52e0f0163ad8ac9152fe588

SHA256
c7595122b2366ccbb1ab0e1f83532073b0b1d3d513363516dea09871af6a4800

SHA512
e6d022c44dddcc688167b8f14a7fbce014c3a8a4a08f83e64611d0345a04c852b4ecfee35e7193aedcd8428ff1ab5a7750767677620fe18d7d6ec35da5bbd406

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9deb20a6328d575a32f344f6f38f4aa6

SHA1
93b682b0ee1dcb836a4da87a81317058c08794eb

SHA256
110e70af360536697d020bed6c8ac5634e48d50e904d4d59b27a980ecb114934

SHA512
2cd86c55cd56d5dc53fbab43dafa957fa21169e34b5ea769c694ffcb38906f4ecf32db4ed206bab5bc6976fe0aba442512d0d18666d4af27db4660ecfe8f186d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7078eff12bc0abe3d764da633a462455

SHA1
4ab39dc544e3876879c25414a449cbf32e6a25d3

SHA256
7624c4e457b60053affbc51ac26b6bbd12afa91908ed5ea0054cf33469dd220a

SHA512
e1412c75e1d3d410256d830157b14be0007e6ddf908eefc65ee3af004a7c5a549c6b7fb8b6b9d969d5549ca72fb562e75d7d88bf448d107a4a8082f0729973bc

Download Submit
memory/1748-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1748-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1748-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1816-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1912-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1912-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1944-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1944-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2160-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2160-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2708-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download