neconyd | db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7a

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe
Size

96KB
MD5

b0e1c1de107832e2c23638e9d501b180
SHA1

9723a1be472ebd780fc531cf72b5f87ee61aeefc
SHA256

db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7a
SHA512

783d307d0abc11382924837051b9a4d61f8aece5bf8cf336736557510c5e0ec2037269c6be9692adc71e4e66385e16b369cd9d796408abf7d3ed207c8c9927dd
SSDEEP

1536:3nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxq:3Gs8cd8eXlYairZYqMddH13q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2696	omsecor.exe
1536	omsecor.exe
3036	omsecor.exe
1352	omsecor.exe
2204	omsecor.exe
2172	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2220	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe
2220	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe
2696	omsecor.exe
1536	omsecor.exe
1536	omsecor.exe
1352	omsecor.exe
1352	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2784 set thread context of 2220	2784	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe	30
PID 2696 set thread context of 1536	2696	omsecor.exe	32
PID 3036 set thread context of 1352	3036	omsecor.exe	36
PID 2204 set thread context of 2172	2204	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2220	2784	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe	30
PID 2784 wrote to memory of 2220	2784	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe	30
PID 2784 wrote to memory of 2220	2784	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe	30
PID 2784 wrote to memory of 2220	2784	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe	30
PID 2784 wrote to memory of 2220	2784	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe	30
PID 2784 wrote to memory of 2220	2784	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe	30
PID 2220 wrote to memory of 2696	2220	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe	31
PID 2220 wrote to memory of 2696	2220	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe	31
PID 2220 wrote to memory of 2696	2220	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe	31
PID 2220 wrote to memory of 2696	2220	db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe	31
PID 2696 wrote to memory of 1536	2696	omsecor.exe	32
PID 2696 wrote to memory of 1536	2696	omsecor.exe	32
PID 2696 wrote to memory of 1536	2696	omsecor.exe	32
PID 2696 wrote to memory of 1536	2696	omsecor.exe	32
PID 2696 wrote to memory of 1536	2696	omsecor.exe	32
PID 2696 wrote to memory of 1536	2696	omsecor.exe	32
PID 1536 wrote to memory of 3036	1536	omsecor.exe	35
PID 1536 wrote to memory of 3036	1536	omsecor.exe	35
PID 1536 wrote to memory of 3036	1536	omsecor.exe	35
PID 1536 wrote to memory of 3036	1536	omsecor.exe	35
PID 3036 wrote to memory of 1352	3036	omsecor.exe	36
PID 3036 wrote to memory of 1352	3036	omsecor.exe	36
PID 3036 wrote to memory of 1352	3036	omsecor.exe	36
PID 3036 wrote to memory of 1352	3036	omsecor.exe	36
PID 3036 wrote to memory of 1352	3036	omsecor.exe	36
PID 3036 wrote to memory of 1352	3036	omsecor.exe	36
PID 1352 wrote to memory of 2204	1352	omsecor.exe	37
PID 1352 wrote to memory of 2204	1352	omsecor.exe	37
PID 1352 wrote to memory of 2204	1352	omsecor.exe	37
PID 1352 wrote to memory of 2204	1352	omsecor.exe	37
PID 2204 wrote to memory of 2172	2204	omsecor.exe	38
PID 2204 wrote to memory of 2172	2204	omsecor.exe	38
PID 2204 wrote to memory of 2172	2204	omsecor.exe	38
PID 2204 wrote to memory of 2172	2204	omsecor.exe	38
PID 2204 wrote to memory of 2172	2204	omsecor.exe	38
PID 2204 wrote to memory of 2172	2204	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe
"C:\Users\Admin\AppData\Local\Temp\db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe
  C:\Users\Admin\AppData\Local\Temp\db652e23de5bfd8b75978e41fd5aa8b38d7ca1f5d9010a88f6eca4808efb4d7aN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
29521e0377b078eddf66eb2e4d04cf96

SHA1
7d8f704e344f0454947dea87a43207102fad0ab9

SHA256
c3d12ab94e5b1dead22e1b62c913454fe8e7622b1e690bf789d744abe5a96edf

SHA512
d36df3afd959808fd762c224dc4a7f8e8f490dee2f778052f8cd7f40569de57696df2fae4be33577d280d9c0a0312fef2fe617ad6e82d0459ebdcadd9e4c4bc8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4c9a985738be18e664a71cc69e539aed

SHA1
d9ceafae75154c2ae956b1acaf77db688cbcb33d

SHA256
16910af4c7dd81e1f63ca18cb112edeb6422b607309fed63e94131cb1e8ebaa2

SHA512
296e78e7f5f57e8b40ae318b3b4bb38d383365d01f15e1ccbd992b64dd10615458bd16c2d3afe9d407d10128bba8df19fb0162b8c3e6f2035935c2ff78d270fe

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
6cca84cdc0dc2a8059183291fdca09d2

SHA1
5f44dac2139c10a0f0f498ded295f5ea666e9b52

SHA256
0edab1eaa0ad2534792dd276aeca1c38b6e1730086dd4dbdf4ec643609f67d3d

SHA512
084df784182de87f28dc79008b0703d92a39d496d7dc98a068fcd8027322fe73c3c365700ebec82e04272aba8157b0c8e76f349f0e2e668f5ee2eb6228383252

Download Submit
memory/1536-51-0x0000000002220000-0x0000000002243000-memory.dmp

Filesize
140KB

Download
memory/1536-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1536-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1536-53-0x0000000002220000-0x0000000002243000-memory.dmp

Filesize
140KB

Download
memory/1536-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1536-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1536-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2172-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2204-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2204-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2220-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2220-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2220-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2220-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2220-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2696-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3036-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3036-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download