neconyd | 92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe
Size

96KB
MD5

ab3915540e16fd4b6238b0aa8a0fe230
SHA1

bc4106db64c12f4c6154bc2934ef1756c4b71b11
SHA256

92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994f
SHA512

75f01db9dedd07cf359a0b23cd52f506914f9767ada3b233190db5302ff63ca669ae75fd11a75b0d61c2a96c51a3af8116222ec287fa8bfa87e40121ef351a71
SSDEEP

1536:gnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:gGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3064	omsecor.exe
2852	omsecor.exe
2424	omsecor.exe
1928	omsecor.exe
1252	omsecor.exe
1984	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2152	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe
2152	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe
3064	omsecor.exe
2852	omsecor.exe
2852	omsecor.exe
1928	omsecor.exe
1928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2152	2132	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe	30
PID 3064 set thread context of 2852	3064	omsecor.exe	32
PID 2424 set thread context of 1928	2424	omsecor.exe	36
PID 1252 set thread context of 1984	1252	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2152	2132	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe	30
PID 2132 wrote to memory of 2152	2132	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe	30
PID 2132 wrote to memory of 2152	2132	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe	30
PID 2132 wrote to memory of 2152	2132	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe	30
PID 2132 wrote to memory of 2152	2132	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe	30
PID 2132 wrote to memory of 2152	2132	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe	30
PID 2152 wrote to memory of 3064	2152	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe	31
PID 2152 wrote to memory of 3064	2152	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe	31
PID 2152 wrote to memory of 3064	2152	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe	31
PID 2152 wrote to memory of 3064	2152	92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe	31
PID 3064 wrote to memory of 2852	3064	omsecor.exe	32
PID 3064 wrote to memory of 2852	3064	omsecor.exe	32
PID 3064 wrote to memory of 2852	3064	omsecor.exe	32
PID 3064 wrote to memory of 2852	3064	omsecor.exe	32
PID 3064 wrote to memory of 2852	3064	omsecor.exe	32
PID 3064 wrote to memory of 2852	3064	omsecor.exe	32
PID 2852 wrote to memory of 2424	2852	omsecor.exe	35
PID 2852 wrote to memory of 2424	2852	omsecor.exe	35
PID 2852 wrote to memory of 2424	2852	omsecor.exe	35
PID 2852 wrote to memory of 2424	2852	omsecor.exe	35
PID 2424 wrote to memory of 1928	2424	omsecor.exe	36
PID 2424 wrote to memory of 1928	2424	omsecor.exe	36
PID 2424 wrote to memory of 1928	2424	omsecor.exe	36
PID 2424 wrote to memory of 1928	2424	omsecor.exe	36
PID 2424 wrote to memory of 1928	2424	omsecor.exe	36
PID 2424 wrote to memory of 1928	2424	omsecor.exe	36
PID 1928 wrote to memory of 1252	1928	omsecor.exe	37
PID 1928 wrote to memory of 1252	1928	omsecor.exe	37
PID 1928 wrote to memory of 1252	1928	omsecor.exe	37
PID 1928 wrote to memory of 1252	1928	omsecor.exe	37
PID 1252 wrote to memory of 1984	1252	omsecor.exe	38
PID 1252 wrote to memory of 1984	1252	omsecor.exe	38
PID 1252 wrote to memory of 1984	1252	omsecor.exe	38
PID 1252 wrote to memory of 1984	1252	omsecor.exe	38
PID 1252 wrote to memory of 1984	1252	omsecor.exe	38
PID 1252 wrote to memory of 1984	1252	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe
"C:\Users\Admin\AppData\Local\Temp\92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe
  C:\Users\Admin\AppData\Local\Temp\92fd7a3fe3759ee23b7e919919caa354e5954c3fd1ed0e5b17f5aeccf60e994fN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
615c253e6e2c0093e66c43ee4d28f97e

SHA1
e8a169711205677d3cc4ebfb355241f09f62f586

SHA256
3423fdf714fb0df39eab4c64b9b7ff316ff8e6d355e797a2f7a6447b2629f426

SHA512
5e1213d7b3fe8287702a4447fa0be414fcb81c27001cec18cfc76c01d9a33b35a3aa1453d027b6c9277e458d061913bec5b2477156bb816e8ae1d0a01644215a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
13084f39feda34461dc3df28d4194130

SHA1
395ead17b635e02276084dea1fbeba787aa2d311

SHA256
38a25f9adaec17dc55ec3202e5debbe1ad7e29672e6d2f427015d8ce5420c4bd

SHA512
8429053c4035867b21f8d40d31f9be7bb7925b2df1a4a57a6c255da11bdb2aa6ee9cfc581667d0682c62d8b367955bbe56c05a136b3b5e943bf54839f02d21e9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
7adc2a744ffe47761061354077239a1b

SHA1
cfc1888814177ce5f82b33fb757bd32e23efe4df

SHA256
f2cb56c61107055fe91eddfc6b1b64693005285c24bfca92fa8297b5f6809744

SHA512
da29553a5b0972f257ebcf49c3ee91254bb044e2614bf323e9f857c5b303942d566e4eb2fc8494198e92741af9518495927312e3de0c677297e79f748ba6fd66

Download Submit
memory/1252-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1928-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1984-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-11-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2132-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2132-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2152-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2152-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2152-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2152-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2152-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2424-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-48-0x0000000001F70000-0x0000000001F93000-memory.dmp

Filesize
140KB

Download
memory/2852-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3064-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download