neconyd | 28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe
Size

96KB
MD5

2aa48b8145f6339db83e49b482ae01c0
SHA1

2e489f3d60bb1dab6e016a3f1ffd43d8349eb575
SHA256

28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1
SHA512

4c67c181274930417d9ea65bd8f333ec4ebc5775913543afad80161281e77658b99f06225b1f1b83e4786bf65da94b1c36be1c7d3a3d74ec55ff120f60011f1c
SSDEEP

1536:2nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxq:2Gs8cd8eXlYairZYqMddH13q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2748	omsecor.exe
2856	omsecor.exe
2796	omsecor.exe
2336	omsecor.exe
2308	omsecor.exe
2112	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2280	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe
2280	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe
2748	omsecor.exe
2856	omsecor.exe
2856	omsecor.exe
2336	omsecor.exe
2336	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 2280	1900	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe	30
PID 2748 set thread context of 2856	2748	omsecor.exe	32
PID 2796 set thread context of 2336	2796	omsecor.exe	35
PID 2308 set thread context of 2112	2308	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2280	1900	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe	30
PID 1900 wrote to memory of 2280	1900	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe	30
PID 1900 wrote to memory of 2280	1900	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe	30
PID 1900 wrote to memory of 2280	1900	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe	30
PID 1900 wrote to memory of 2280	1900	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe	30
PID 1900 wrote to memory of 2280	1900	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe	30
PID 2280 wrote to memory of 2748	2280	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe	31
PID 2280 wrote to memory of 2748	2280	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe	31
PID 2280 wrote to memory of 2748	2280	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe	31
PID 2280 wrote to memory of 2748	2280	28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe	31
PID 2748 wrote to memory of 2856	2748	omsecor.exe	32
PID 2748 wrote to memory of 2856	2748	omsecor.exe	32
PID 2748 wrote to memory of 2856	2748	omsecor.exe	32
PID 2748 wrote to memory of 2856	2748	omsecor.exe	32
PID 2748 wrote to memory of 2856	2748	omsecor.exe	32
PID 2748 wrote to memory of 2856	2748	omsecor.exe	32
PID 2856 wrote to memory of 2796	2856	omsecor.exe	34
PID 2856 wrote to memory of 2796	2856	omsecor.exe	34
PID 2856 wrote to memory of 2796	2856	omsecor.exe	34
PID 2856 wrote to memory of 2796	2856	omsecor.exe	34
PID 2796 wrote to memory of 2336	2796	omsecor.exe	35
PID 2796 wrote to memory of 2336	2796	omsecor.exe	35
PID 2796 wrote to memory of 2336	2796	omsecor.exe	35
PID 2796 wrote to memory of 2336	2796	omsecor.exe	35
PID 2796 wrote to memory of 2336	2796	omsecor.exe	35
PID 2796 wrote to memory of 2336	2796	omsecor.exe	35
PID 2336 wrote to memory of 2308	2336	omsecor.exe	36
PID 2336 wrote to memory of 2308	2336	omsecor.exe	36
PID 2336 wrote to memory of 2308	2336	omsecor.exe	36
PID 2336 wrote to memory of 2308	2336	omsecor.exe	36
PID 2308 wrote to memory of 2112	2308	omsecor.exe	37
PID 2308 wrote to memory of 2112	2308	omsecor.exe	37
PID 2308 wrote to memory of 2112	2308	omsecor.exe	37
PID 2308 wrote to memory of 2112	2308	omsecor.exe	37
PID 2308 wrote to memory of 2112	2308	omsecor.exe	37
PID 2308 wrote to memory of 2112	2308	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe
"C:\Users\Admin\AppData\Local\Temp\28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe
  C:\Users\Admin\AppData\Local\Temp\28623647b71fd94c2a734b3cd081df488930ea4c91ad80c6c3c8013fb84509e1N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
73c8725f4cc2e9353e25fc29ba382050

SHA1
38a31f74e6df578a4fbce4169bec50937fb85708

SHA256
5b5d09986c62f72b5ce9ce8e89f901f7908170a6e1899822ba09c324986646a5

SHA512
bd23f2b3995b41c450a3ba1a8b9d610bd37894afbe1e160086a93dbe213a903233523bcadc4b779eadb8aa042a2d000ad7ee241eac586e03021b214c5c96991c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5b665c060972ebd65ca3c62fe8791d7b

SHA1
254bea5aafd88effe239acda23e9cd2e0b486a09

SHA256
9ae8a6876d1da57b00cfff118fdf0d593dd10f728d4c239069bcfc52a96a309a

SHA512
77b8a4ad9ca69db289a7763d94f7ef537bcef9e8208a3fab6fd757001337604881de0058447bb77e8fe2bda82b855d6b1287d4fffe64a360d27ba3c29f73b1a1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f6b5970fe1d81e7aea7ec1a4b44a617b

SHA1
fe0e73cd5b208866c8ae662df790e22801c67975

SHA256
733e3e2a389ff79d8cb2971de30293f5fbb2bbe17430f312e91d5c25b274bccc

SHA512
001b4fd5f252aa5a5dc128f6852ad502661431c3e49cc56c251b495614ca2705c7731a8e5fface6c37bc4c3db00747842a66c0b8525bbe717d2ca20f6817e83c

Download Submit
memory/1900-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1900-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2112-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2280-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2280-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2280-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2280-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2280-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2308-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2748-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2748-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2748-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2796-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2796-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2856-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-47-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2856-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download