neconyd | 18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0e

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
Size

96KB
MD5

097d8bd0729b57c4ea0f55dcc49efd60
SHA1

e9e045e19973d2938f79f144f6217f24083b3629
SHA256

18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0e
SHA512

2d2a45aedacd47b11755500a1a1ef230063c98b32144a59f032901fa2336a802469bbf2b38a3c8262426515933eb98d97e6acfbb665ddde01b6edb364b45e6f5
SSDEEP

1536:AnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:AGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2252	omsecor.exe
1820	omsecor.exe
2512	omsecor.exe
2004	omsecor.exe
2852	omsecor.exe
2708	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2520	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
2520	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
2252	omsecor.exe
1820	omsecor.exe
1820	omsecor.exe
2004	omsecor.exe
2004	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 2520	2696	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	30
PID 2252 set thread context of 1820	2252	omsecor.exe	32
PID 2512 set thread context of 2004	2512	omsecor.exe	36
PID 2852 set thread context of 2708	2852	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2520	2696	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	30
PID 2696 wrote to memory of 2520	2696	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	30
PID 2696 wrote to memory of 2520	2696	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	30
PID 2696 wrote to memory of 2520	2696	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	30
PID 2696 wrote to memory of 2520	2696	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	30
PID 2696 wrote to memory of 2520	2696	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	30
PID 2520 wrote to memory of 2252	2520	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	31
PID 2520 wrote to memory of 2252	2520	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	31
PID 2520 wrote to memory of 2252	2520	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	31
PID 2520 wrote to memory of 2252	2520	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	31
PID 2252 wrote to memory of 1820	2252	omsecor.exe	32
PID 2252 wrote to memory of 1820	2252	omsecor.exe	32
PID 2252 wrote to memory of 1820	2252	omsecor.exe	32
PID 2252 wrote to memory of 1820	2252	omsecor.exe	32
PID 2252 wrote to memory of 1820	2252	omsecor.exe	32
PID 2252 wrote to memory of 1820	2252	omsecor.exe	32
PID 1820 wrote to memory of 2512	1820	omsecor.exe	35
PID 1820 wrote to memory of 2512	1820	omsecor.exe	35
PID 1820 wrote to memory of 2512	1820	omsecor.exe	35
PID 1820 wrote to memory of 2512	1820	omsecor.exe	35
PID 2512 wrote to memory of 2004	2512	omsecor.exe	36
PID 2512 wrote to memory of 2004	2512	omsecor.exe	36
PID 2512 wrote to memory of 2004	2512	omsecor.exe	36
PID 2512 wrote to memory of 2004	2512	omsecor.exe	36
PID 2512 wrote to memory of 2004	2512	omsecor.exe	36
PID 2512 wrote to memory of 2004	2512	omsecor.exe	36
PID 2004 wrote to memory of 2852	2004	omsecor.exe	37
PID 2004 wrote to memory of 2852	2004	omsecor.exe	37
PID 2004 wrote to memory of 2852	2004	omsecor.exe	37
PID 2004 wrote to memory of 2852	2004	omsecor.exe	37
PID 2852 wrote to memory of 2708	2852	omsecor.exe	38
PID 2852 wrote to memory of 2708	2852	omsecor.exe	38
PID 2852 wrote to memory of 2708	2852	omsecor.exe	38
PID 2852 wrote to memory of 2708	2852	omsecor.exe	38
PID 2852 wrote to memory of 2708	2852	omsecor.exe	38
PID 2852 wrote to memory of 2708	2852	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
"C:\Users\Admin\AppData\Local\Temp\18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
  C:\Users\Admin\AppData\Local\Temp\18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
6fffd9aa3760c5035bd091852bbad5de

SHA1
5154c2f18f2be302ed96b2e3a770cc7ec4b2fb5d

SHA256
f805d930a2da175d65e3b850a37e77a8b867f366ef8821c621ccc3ed779537dd

SHA512
e4bda74cee3071f32f20876a39ce5634c2edee7913dbb5495bc0d0f5d100822d0cd65547503a85558e60ab6d5f49d1ac72bc46686b1c191cf19dea0841a47c4a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
78dda33f247aabaf5629902945f25d37

SHA1
4391ffecc2b0bd4f62fa5db014548ae28dcbd43d

SHA256
d3282953aaef5dd093222fd7822a8c70be349f948c7265d062127a6923eb0586

SHA512
a36499e5deba020e5b80f00e92d53efe28ac49cd1df56f3f26d61d0e0c13a9ba0602301e56446293e9a1fb415041921cdcbe33bff6aa8ceb792be9fe73c81faf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
707b334d3d5eb688dee2b57ba4a84057

SHA1
22a66c70f8e1722b5e2f748b04ea9882b7757b7f

SHA256
7edc90fb0c1d20e9a3de39c24197925928434770a76dec1d8cf53c14bdf9d8fb

SHA512
b488b866e2392ef49f5bbd9092b5be31a7772ffaf59033d85ad571d6f802e5462f874917fd436138295f148bbd1af0d7fd22f9d56cc3acec233131df2ca4d8eb

Download Submit
memory/1820-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-47-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/1820-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2004-72-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/2252-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2252-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2252-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2512-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2512-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2520-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2520-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2696-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2708-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download