neconyd | 1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/11/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe
Size

96KB
MD5

ddd2c39f3e07b4a00271a18f28af5500
SHA1

404924769d864f072a159730c634db28b1afee4f
SHA256

1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906
SHA512

f6d6f0ba4567246cfb27d95350a5f6f5feecc268f07be7a7f88bd501f3a28219205d29f6ec07849201bbbf81d3596ed42b5abb762ab9586f1fe62fc55d131759
SSDEEP

1536:wnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:wGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1948	omsecor.exe
2364	omsecor.exe
2264	omsecor.exe
1044	omsecor.exe
1396	omsecor.exe
2556	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1980	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe
1980	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe
1948	omsecor.exe
2364	omsecor.exe
2364	omsecor.exe
1044	omsecor.exe
1044	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 1980	1996	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe	30
PID 1948 set thread context of 2364	1948	omsecor.exe	32
PID 2264 set thread context of 1044	2264	omsecor.exe	36
PID 1396 set thread context of 2556	1396	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1980	1996	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe	30
PID 1996 wrote to memory of 1980	1996	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe	30
PID 1996 wrote to memory of 1980	1996	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe	30
PID 1996 wrote to memory of 1980	1996	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe	30
PID 1996 wrote to memory of 1980	1996	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe	30
PID 1996 wrote to memory of 1980	1996	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe	30
PID 1980 wrote to memory of 1948	1980	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe	31
PID 1980 wrote to memory of 1948	1980	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe	31
PID 1980 wrote to memory of 1948	1980	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe	31
PID 1980 wrote to memory of 1948	1980	1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe	31
PID 1948 wrote to memory of 2364	1948	omsecor.exe	32
PID 1948 wrote to memory of 2364	1948	omsecor.exe	32
PID 1948 wrote to memory of 2364	1948	omsecor.exe	32
PID 1948 wrote to memory of 2364	1948	omsecor.exe	32
PID 1948 wrote to memory of 2364	1948	omsecor.exe	32
PID 1948 wrote to memory of 2364	1948	omsecor.exe	32
PID 2364 wrote to memory of 2264	2364	omsecor.exe	35
PID 2364 wrote to memory of 2264	2364	omsecor.exe	35
PID 2364 wrote to memory of 2264	2364	omsecor.exe	35
PID 2364 wrote to memory of 2264	2364	omsecor.exe	35
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 1044 wrote to memory of 1396	1044	omsecor.exe	37
PID 1044 wrote to memory of 1396	1044	omsecor.exe	37
PID 1044 wrote to memory of 1396	1044	omsecor.exe	37
PID 1044 wrote to memory of 1396	1044	omsecor.exe	37
PID 1396 wrote to memory of 2556	1396	omsecor.exe	38
PID 1396 wrote to memory of 2556	1396	omsecor.exe	38
PID 1396 wrote to memory of 2556	1396	omsecor.exe	38
PID 1396 wrote to memory of 2556	1396	omsecor.exe	38
PID 1396 wrote to memory of 2556	1396	omsecor.exe	38
PID 1396 wrote to memory of 2556	1396	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe
"C:\Users\Admin\AppData\Local\Temp\1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe
  C:\Users\Admin\AppData\Local\Temp\1caa30a001040b0dda92622af98b954b07066e5936c937da760707202dd06906N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a1cd9c574bb219a09569da47b97f1e53

SHA1
3025e1a86a6b5ff0332cbf0cb7cb91d5087500a7

SHA256
9090936c41b6ebafa02ff07c10c00956935937226678d22d54b574291ff68638

SHA512
e5ef197852c9fe78eaaeba95a5fe611f45daa4b7288b2cf02561591e33efab7fcdc38f4c7cfb143215a6aa0b96b717dde59115307aeec10db457eefde29e043c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5891c760b3f3f0c60778fc4e386869cf

SHA1
7e6a5b37b8bd38f2bfc2ff1948081bab9ead15c8

SHA256
5aea8670afd236f90d7af5f158398a058747efb6d0f544790c2bd82d14f24949

SHA512
f09f0fe2446d4587a24a4c7ff526493d9918e80658fc625e707263a730fc44f9522fe06718331e7af5dc23f4076ff6606e2ea01d6620b621fd54060c8727d531

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
33c70d6e84fede446df772ad14836fef

SHA1
5191f6e38a682cb1bc370e3a6278108e79aef91d

SHA256
0e271c35c2ffb31c2a9c2fd6c5308823d554f4dba97023ad368c862fb7a297e2

SHA512
e3362a7994c19ef8e3653e5f61e6b5339a3b1d696b1bdc089d440c3f0bedb8848bcacbb6baab6050fd83d40cfb5c37e4302f2e42b5f2b5c7e0d3bc08ee7d0632

Download Submit
memory/1044-75-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1396-83-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1396-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1948-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1948-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1948-26-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/1980-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1980-22-0x0000000001B60000-0x0000000001B83000-memory.dmp

Filesize
140KB

Download
memory/1980-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1980-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1980-37-0x0000000001B60000-0x0000000001B83000-memory.dmp

Filesize
140KB

Download
memory/1980-14-0x0000000001B60000-0x0000000001B83000-memory.dmp

Filesize
140KB

Download
memory/1980-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1980-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1996-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1996-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2264-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2264-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2364-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-50-0x0000000001F70000-0x0000000001F93000-memory.dmp

Filesize
140KB

Download
memory/2364-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download