neconyd | 037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfd

Analysis

max time kernel
115s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
Size

96KB
MD5

86185d1a81bf1ac265a5f0097c854dc0
SHA1

32a3b8cdc7d43e2f9c0be87601f4a328500306e8
SHA256

037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfd
SHA512

ada2a2bb5fcc99929428eb2e221a7b2a76ee6939419beae237e1f40ce33e6bfe36d4e2bd5178d2bd722d28a03b21b3d652a711c6e381ac7f2c1fcb0d93dc8c4d
SSDEEP

1536:PnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:PGs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2668	omsecor.exe
2568	omsecor.exe
1560	omsecor.exe
1696	omsecor.exe
2240	omsecor.exe
2300	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2708	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
2708	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
2668	omsecor.exe
2568	omsecor.exe
2568	omsecor.exe
1696	omsecor.exe
1696	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 2708	2792	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	30
PID 2668 set thread context of 2568	2668	omsecor.exe	32
PID 1560 set thread context of 1696	1560	omsecor.exe	35
PID 2240 set thread context of 2300	2240	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2708	2792	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	30
PID 2792 wrote to memory of 2708	2792	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	30
PID 2792 wrote to memory of 2708	2792	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	30
PID 2792 wrote to memory of 2708	2792	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	30
PID 2792 wrote to memory of 2708	2792	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	30
PID 2792 wrote to memory of 2708	2792	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	30
PID 2708 wrote to memory of 2668	2708	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	31
PID 2708 wrote to memory of 2668	2708	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	31
PID 2708 wrote to memory of 2668	2708	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	31
PID 2708 wrote to memory of 2668	2708	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	31
PID 2668 wrote to memory of 2568	2668	omsecor.exe	32
PID 2668 wrote to memory of 2568	2668	omsecor.exe	32
PID 2668 wrote to memory of 2568	2668	omsecor.exe	32
PID 2668 wrote to memory of 2568	2668	omsecor.exe	32
PID 2668 wrote to memory of 2568	2668	omsecor.exe	32
PID 2668 wrote to memory of 2568	2668	omsecor.exe	32
PID 2568 wrote to memory of 1560	2568	omsecor.exe	34
PID 2568 wrote to memory of 1560	2568	omsecor.exe	34
PID 2568 wrote to memory of 1560	2568	omsecor.exe	34
PID 2568 wrote to memory of 1560	2568	omsecor.exe	34
PID 1560 wrote to memory of 1696	1560	omsecor.exe	35
PID 1560 wrote to memory of 1696	1560	omsecor.exe	35
PID 1560 wrote to memory of 1696	1560	omsecor.exe	35
PID 1560 wrote to memory of 1696	1560	omsecor.exe	35
PID 1560 wrote to memory of 1696	1560	omsecor.exe	35
PID 1560 wrote to memory of 1696	1560	omsecor.exe	35
PID 1696 wrote to memory of 2240	1696	omsecor.exe	36
PID 1696 wrote to memory of 2240	1696	omsecor.exe	36
PID 1696 wrote to memory of 2240	1696	omsecor.exe	36
PID 1696 wrote to memory of 2240	1696	omsecor.exe	36
PID 2240 wrote to memory of 2300	2240	omsecor.exe	37
PID 2240 wrote to memory of 2300	2240	omsecor.exe	37
PID 2240 wrote to memory of 2300	2240	omsecor.exe	37
PID 2240 wrote to memory of 2300	2240	omsecor.exe	37
PID 2240 wrote to memory of 2300	2240	omsecor.exe	37
PID 2240 wrote to memory of 2300	2240	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
"C:\Users\Admin\AppData\Local\Temp\037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
  C:\Users\Admin\AppData\Local\Temp\037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
ab3a78967383e21d24cadff5d1cc0129

SHA1
a87155b7ea562bdeef72d207df02aa55fa3e090b

SHA256
85018709373bdd0b5ac6ed31ee03d1047cda6d7d22f85108df956c3e40fb5d99

SHA512
b9c7b806b8285b125bd68423d386a3ab6264ce6231dbff1c500b4fa31840cb0533328b628cabb5ac2f204d9911d70aaef670ba9af9d18a902291f0643fe81e84

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a0324e64420b5ba4d2eceb88eea1cf12

SHA1
f0051b96f436f85712ecd721b87c9ac2e018f0db

SHA256
c93338e3fce3ea939582233765ceb44fadd0056b14390f60baad68f9113fda18

SHA512
77617a3fec3fc6e9897b9d4b12f5a8a2a101dcc10f966f8aee3620ea52539861cd9bf11c753fc3430e21239106f4172685743fbc7393506cf1c145d3123544f7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3689404869f0d3b7d6b73452755a927b

SHA1
7279b418f33ead5f3f8b409dd0e2397cc16e2bfd

SHA256
7c0ee5b167329a390b7c51c2364bacb89bb79fb9c16793133c345c04a5687047

SHA512
f26700c59aadb6d27ec21bab9ffc84240f9d760e00bec9738e87406cf4b3fb42de1937ec05b93beebb6e06a78b6da9df2251d8f63aa762bebfc356f0b39e56a7

Download Submit
memory/1560-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1560-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1696-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2240-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2300-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-49-0x00000000003A0000-0x00000000003C3000-memory.dmp

Filesize
140KB

Download
memory/2568-54-0x00000000003A0000-0x00000000003C3000-memory.dmp

Filesize
140KB

Download
memory/2568-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2668-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2668-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2708-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2792-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2792-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download