neconyd | f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe
Size

96KB
MD5

00f81473b0915b5718e9375dc3e8345f
SHA1

b07dac926bf00be788c83d2fdbf88790cfc7d05c
SHA256

f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e
SHA512

12e0084567de7530e58a102ab4fd59d6c38a462d7f1cda1ff18319916c070ce139c0acfea287bca309b8d854f97cf9444c895966683f9fdf99c3942d2d11e66e
SSDEEP

1536:PnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:PGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid	Process
2392	omsecor.exe
1148	omsecor.exe
1384	omsecor.exe
2012	omsecor.exe
1744	omsecor.exe
1776	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exeomsecor.exeomsecor.exeomsecor.exe

pid	Process
2400	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe
2400	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe
2392	omsecor.exe
1148	omsecor.exe
1148	omsecor.exe
2012	omsecor.exe
2012	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	Process	procid_target
PID 764 set thread context of 2400	764	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe	30
PID 2392 set thread context of 1148	2392	omsecor.exe	32
PID 1384 set thread context of 2012	1384	omsecor.exe	36
PID 1744 set thread context of 1776	1744	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

omsecor.exef5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exef5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exef5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	Process	procid_target
PID 764 wrote to memory of 2400	764	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe	30
PID 764 wrote to memory of 2400	764	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe	30
PID 764 wrote to memory of 2400	764	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe	30
PID 764 wrote to memory of 2400	764	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe	30
PID 764 wrote to memory of 2400	764	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe	30
PID 764 wrote to memory of 2400	764	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe	30
PID 2400 wrote to memory of 2392	2400	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe	31
PID 2400 wrote to memory of 2392	2400	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe	31
PID 2400 wrote to memory of 2392	2400	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe	31
PID 2400 wrote to memory of 2392	2400	f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe	31
PID 2392 wrote to memory of 1148	2392	omsecor.exe	32
PID 2392 wrote to memory of 1148	2392	omsecor.exe	32
PID 2392 wrote to memory of 1148	2392	omsecor.exe	32
PID 2392 wrote to memory of 1148	2392	omsecor.exe	32
PID 2392 wrote to memory of 1148	2392	omsecor.exe	32
PID 2392 wrote to memory of 1148	2392	omsecor.exe	32
PID 1148 wrote to memory of 1384	1148	omsecor.exe	35
PID 1148 wrote to memory of 1384	1148	omsecor.exe	35
PID 1148 wrote to memory of 1384	1148	omsecor.exe	35
PID 1148 wrote to memory of 1384	1148	omsecor.exe	35
PID 1384 wrote to memory of 2012	1384	omsecor.exe	36
PID 1384 wrote to memory of 2012	1384	omsecor.exe	36
PID 1384 wrote to memory of 2012	1384	omsecor.exe	36
PID 1384 wrote to memory of 2012	1384	omsecor.exe	36
PID 1384 wrote to memory of 2012	1384	omsecor.exe	36
PID 1384 wrote to memory of 2012	1384	omsecor.exe	36
PID 2012 wrote to memory of 1744	2012	omsecor.exe	37
PID 2012 wrote to memory of 1744	2012	omsecor.exe	37
PID 2012 wrote to memory of 1744	2012	omsecor.exe	37
PID 2012 wrote to memory of 1744	2012	omsecor.exe	37
PID 1744 wrote to memory of 1776	1744	omsecor.exe	38
PID 1744 wrote to memory of 1776	1744	omsecor.exe	38
PID 1744 wrote to memory of 1776	1744	omsecor.exe	38
PID 1744 wrote to memory of 1776	1744	omsecor.exe	38
PID 1744 wrote to memory of 1776	1744	omsecor.exe	38
PID 1744 wrote to memory of 1776	1744	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe
"C:\Users\Admin\AppData\Local\Temp\f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe
  C:\Users\Admin\AppData\Local\Temp\f5ae2a6d05a4b72d38d6cd33d48378fe7ea9fc36c33300729f5d9c8589ca585e.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
2f55ef1315d4abe062a47d81b9760d0c

SHA1
fce84f42e15da2ddf3e653d2e4b5fdd272cf4753

SHA256
470835bc99b568d2ebf5e7a3ed000ce752d59571945a90b3777d4715282314aa

SHA512
502e3515054cefa9a9cce8867aa226e4d8dc518326c21dea8c9ddf4d17a0e50da049cd7ac85ca6256e81f588fcf8c5618151ff413c059b8260ee58c39f255643

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f918db2bd8b98b606d1cfaee13324e35

SHA1
781e096ef409eec4887cb3177f41102953ee4efa

SHA256
f67ecaabfcb92ce5926a10503e6c02afb6700be8d87a09c86fc17da827508cdb

SHA512
3ae40d057ed5b584d3d3d03675cf70ae06b3810980ad31153f720d24559089b176d388638a84fb711e166b4865040d7f59591713ca9639c043c1a834c4c69401

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e7bea8f8e430b15c77c9056fd83d181c

SHA1
8aebfc1c4fc3782a372c705789de575381d0b8e8

SHA256
30de2565ef50f39b29da0ac4517d84d4fdcadfc692d6274081a162ad9fdaafd6

SHA512
21bff39b572bf078b7584f641c74bfb6cb0fdc430a8668596249e106ee556f20fd358da29bca16796733a59d3e405f11206d9897555deb3f8a31f8deef602eab

Download Submit
memory/764-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/764-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1148-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-49-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/1148-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1384-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1384-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1744-82-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1744-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1776-95-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1776-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2012-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2392-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2392-26-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2392-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2400-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2400-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2400-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2400-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2400-15-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2400-18-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download