neconyd | 7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
Size

96KB
MD5

c44cdf5463ca0606e35f53d6fba274b2
SHA1

e0209a5260253ae6581e0a6b34daf683e1f3bc63
SHA256

7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1
SHA512

72e316391de38d54cf2954cbc5be34585b2486387d87868219aecefcc42c51b9601658940997a4f174975c3ad42ec3cf7c19662fb803741f56b8517fd04ad39b
SSDEEP

1536:YnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:YGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2044	omsecor.exe
1912	omsecor.exe
536	omsecor.exe
1900	omsecor.exe
2624	omsecor.exe
2988	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2492	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
2492	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
2044	omsecor.exe
1912	omsecor.exe
1912	omsecor.exe
1900	omsecor.exe
1900	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 2492	2108	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe	31
PID 2044 set thread context of 1912	2044	omsecor.exe	33
PID 536 set thread context of 1900	536	omsecor.exe	37
PID 2624 set thread context of 2988	2624	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2492	2108	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe	31
PID 2108 wrote to memory of 2492	2108	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe	31
PID 2108 wrote to memory of 2492	2108	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe	31
PID 2108 wrote to memory of 2492	2108	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe	31
PID 2108 wrote to memory of 2492	2108	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe	31
PID 2108 wrote to memory of 2492	2108	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe	31
PID 2492 wrote to memory of 2044	2492	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe	32
PID 2492 wrote to memory of 2044	2492	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe	32
PID 2492 wrote to memory of 2044	2492	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe	32
PID 2492 wrote to memory of 2044	2492	7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe	32
PID 2044 wrote to memory of 1912	2044	omsecor.exe	33
PID 2044 wrote to memory of 1912	2044	omsecor.exe	33
PID 2044 wrote to memory of 1912	2044	omsecor.exe	33
PID 2044 wrote to memory of 1912	2044	omsecor.exe	33
PID 2044 wrote to memory of 1912	2044	omsecor.exe	33
PID 2044 wrote to memory of 1912	2044	omsecor.exe	33
PID 1912 wrote to memory of 536	1912	omsecor.exe	36
PID 1912 wrote to memory of 536	1912	omsecor.exe	36
PID 1912 wrote to memory of 536	1912	omsecor.exe	36
PID 1912 wrote to memory of 536	1912	omsecor.exe	36
PID 536 wrote to memory of 1900	536	omsecor.exe	37
PID 536 wrote to memory of 1900	536	omsecor.exe	37
PID 536 wrote to memory of 1900	536	omsecor.exe	37
PID 536 wrote to memory of 1900	536	omsecor.exe	37
PID 536 wrote to memory of 1900	536	omsecor.exe	37
PID 536 wrote to memory of 1900	536	omsecor.exe	37
PID 1900 wrote to memory of 2624	1900	omsecor.exe	38
PID 1900 wrote to memory of 2624	1900	omsecor.exe	38
PID 1900 wrote to memory of 2624	1900	omsecor.exe	38
PID 1900 wrote to memory of 2624	1900	omsecor.exe	38
PID 2624 wrote to memory of 2988	2624	omsecor.exe	39
PID 2624 wrote to memory of 2988	2624	omsecor.exe	39
PID 2624 wrote to memory of 2988	2624	omsecor.exe	39
PID 2624 wrote to memory of 2988	2624	omsecor.exe	39
PID 2624 wrote to memory of 2988	2624	omsecor.exe	39
PID 2624 wrote to memory of 2988	2624	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
"C:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
  C:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d63e0e55a7dbd72b2d16bfe9d959ba07

SHA1
726a068c58be30a74c059efbd38e3152a9575442

SHA256
24bc0646657b27db4c100a4a0b9cb71cd28517b2de902a681b5a68dcc1fa03de

SHA512
e38b7a512678ba57e68e2bd6fd12a01ed15bf32adf024ff6d55fc36076fdfecb02f5ffef85838957b61cb38a4bdf9187bd8db214ab877f738be31310e1013de9

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a42941588f9c7f3e8d6c0f37ffc441a1

SHA1
108d0dc9f793762e5b67ec0cec3f80884d55e43b

SHA256
59a952763aa384b0c2c1e6d9017a22fb85aef0e13ab18431c63eb215d3f5f6be

SHA512
90aac23129a9cc945957e334fb126fbac6968620fab7857a8a23e3010440e576c24638c038344263ea2b6595520dc66036e5ccf59c93df76c750faaec45cb775

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d8f0d0640e03c51f2b4a1cbfe5ef128d

SHA1
4658c08dbd4e10fe38468e32c97899ef7a4646c8

SHA256
257e5618ea4a284e1d8b46933af7272d8d55f79d604608044c3186303c563adf

SHA512
c3e7a84258c3e749626256d1c4878e1bfceb262b3c9512e9acdcd7eb79c65236d98a4b8fb68e09b961985ab1c612fa8de35fd49b24376fbaef37240d7e2adda1

Download Submit
memory/536-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/536-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1912-52-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/1912-53-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/1912-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1912-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1912-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1912-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1912-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2044-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2044-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2108-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2108-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2492-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2492-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2492-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2492-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2624-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2624-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2988-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download