neconyd | 779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
Size

96KB
MD5

44e119256f80dc9a7d0e8c9a68a6f1f0
SHA1

6547b47e6252fca2e7fec300aa36a9cd654a89d2
SHA256

779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4
SHA512

16e872ba70f05d1d81c632b722326063b713a943cabb22bec50914fdfb46a2d7f85bde1ff781b38dc0777076c9d4ecfbce6605dc5f6ce7b808dd164e499f6b54
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:OGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2860	omsecor.exe
2908	omsecor.exe
320	omsecor.exe
2992	omsecor.exe
2412	omsecor.exe
1588	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2848	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
2848	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
2860	omsecor.exe
2908	omsecor.exe
2908	omsecor.exe
2992	omsecor.exe
2992	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2820 set thread context of 2848	2820	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	30
PID 2860 set thread context of 2908	2860	omsecor.exe	32
PID 320 set thread context of 2992	320	omsecor.exe	36
PID 2412 set thread context of 1588	2412	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2848	2820	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	30
PID 2820 wrote to memory of 2848	2820	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	30
PID 2820 wrote to memory of 2848	2820	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	30
PID 2820 wrote to memory of 2848	2820	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	30
PID 2820 wrote to memory of 2848	2820	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	30
PID 2820 wrote to memory of 2848	2820	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	30
PID 2848 wrote to memory of 2860	2848	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	31
PID 2848 wrote to memory of 2860	2848	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	31
PID 2848 wrote to memory of 2860	2848	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	31
PID 2848 wrote to memory of 2860	2848	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	31
PID 2860 wrote to memory of 2908	2860	omsecor.exe	32
PID 2860 wrote to memory of 2908	2860	omsecor.exe	32
PID 2860 wrote to memory of 2908	2860	omsecor.exe	32
PID 2860 wrote to memory of 2908	2860	omsecor.exe	32
PID 2860 wrote to memory of 2908	2860	omsecor.exe	32
PID 2860 wrote to memory of 2908	2860	omsecor.exe	32
PID 2908 wrote to memory of 320	2908	omsecor.exe	35
PID 2908 wrote to memory of 320	2908	omsecor.exe	35
PID 2908 wrote to memory of 320	2908	omsecor.exe	35
PID 2908 wrote to memory of 320	2908	omsecor.exe	35
PID 320 wrote to memory of 2992	320	omsecor.exe	36
PID 320 wrote to memory of 2992	320	omsecor.exe	36
PID 320 wrote to memory of 2992	320	omsecor.exe	36
PID 320 wrote to memory of 2992	320	omsecor.exe	36
PID 320 wrote to memory of 2992	320	omsecor.exe	36
PID 320 wrote to memory of 2992	320	omsecor.exe	36
PID 2992 wrote to memory of 2412	2992	omsecor.exe	37
PID 2992 wrote to memory of 2412	2992	omsecor.exe	37
PID 2992 wrote to memory of 2412	2992	omsecor.exe	37
PID 2992 wrote to memory of 2412	2992	omsecor.exe	37
PID 2412 wrote to memory of 1588	2412	omsecor.exe	38
PID 2412 wrote to memory of 1588	2412	omsecor.exe	38
PID 2412 wrote to memory of 1588	2412	omsecor.exe	38
PID 2412 wrote to memory of 1588	2412	omsecor.exe	38
PID 2412 wrote to memory of 1588	2412	omsecor.exe	38
PID 2412 wrote to memory of 1588	2412	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
"C:\Users\Admin\AppData\Local\Temp\779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
  C:\Users\Admin\AppData\Local\Temp\779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
298b12735d9c3e76745889a6a1e3b2a3

SHA1
313f9cecdac5d349a34d00f6e7a7155eac0f7c10

SHA256
95d5e74a97d7087bca7ed2d320128122ea1eeb624983039c335427e73d5b4eb5

SHA512
50fe0f82da9d1e4f23dba35388f36dd8e6180f820b3aa747fafedad246688a362ba2104538c1dd216260d44833dcfb8c9f554de7860222a8c80f98a097bfad00

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b571a6ed360b2c8885be785f5d94345b

SHA1
98cbdc68dd2818cbffa9407747ecd9b09970f9c0

SHA256
25f0f9f81f9609b6d361296e99df8547fcbdd12a68651d0978f58572b86aea40

SHA512
a8aa076b2bfe3e5342572c825d0aee896cf2cd6c4cf3b84dacc03d136a1439d3095c4b544874d07fdddfb28f672c87dc3fb4d540ac1afaf10147461bb5081887

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e45d8daeda90895df7ddd7d6c9271cd6

SHA1
83e635a204bd0775755d2e945221467e6f67184e

SHA256
c9472bd19d98da584139ee73059fe87082440db343749520df1aecb644745c11

SHA512
386467414a1115fdd9705278c0d4edc7cdd3c17b192a634ff7ec4ca20a3af6e49af6a023b8caa2431bf9dce23350ff09c5bf7010e48b66ae675253a708f60221

Download Submit
memory/320-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/320-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1588-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2412-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2412-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2820-1-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2820-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2820-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2848-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2848-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-14-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2860-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2860-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2908-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2908-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2908-48-0x0000000000300000-0x0000000000323000-memory.dmp

Filesize
140KB

Download
memory/2908-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2908-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2908-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download