neconyd | 6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe
Size

96KB
MD5

803e5704adb1119a88668100b2a22780
SHA1

f7ecbd67283ac3572daa4551b581afc4468bf1ca
SHA256

6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80
SHA512

db34619ff91d69614390b33e3b63d7319ec2221313deb8e3274778503f08b31c98e2643491814c9fd215c488dbd262a83867ac4d1dfc29549e2e9441d9515802
SSDEEP

1536:8nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:8Gs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2992	omsecor.exe
2540	omsecor.exe
2156	omsecor.exe
1676	omsecor.exe
1560	omsecor.exe
1816	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1668	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe
1668	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe
2992	omsecor.exe
2540	omsecor.exe
2540	omsecor.exe
1676	omsecor.exe
1676	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 1668	2264	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe	31
PID 2992 set thread context of 2540	2992	omsecor.exe	33
PID 2156 set thread context of 1676	2156	omsecor.exe	36
PID 1560 set thread context of 1816	1560	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1668	2264	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe	31
PID 2264 wrote to memory of 1668	2264	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe	31
PID 2264 wrote to memory of 1668	2264	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe	31
PID 2264 wrote to memory of 1668	2264	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe	31
PID 2264 wrote to memory of 1668	2264	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe	31
PID 2264 wrote to memory of 1668	2264	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe	31
PID 1668 wrote to memory of 2992	1668	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe	32
PID 1668 wrote to memory of 2992	1668	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe	32
PID 1668 wrote to memory of 2992	1668	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe	32
PID 1668 wrote to memory of 2992	1668	6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe	32
PID 2992 wrote to memory of 2540	2992	omsecor.exe	33
PID 2992 wrote to memory of 2540	2992	omsecor.exe	33
PID 2992 wrote to memory of 2540	2992	omsecor.exe	33
PID 2992 wrote to memory of 2540	2992	omsecor.exe	33
PID 2992 wrote to memory of 2540	2992	omsecor.exe	33
PID 2992 wrote to memory of 2540	2992	omsecor.exe	33
PID 2540 wrote to memory of 2156	2540	omsecor.exe	35
PID 2540 wrote to memory of 2156	2540	omsecor.exe	35
PID 2540 wrote to memory of 2156	2540	omsecor.exe	35
PID 2540 wrote to memory of 2156	2540	omsecor.exe	35
PID 2156 wrote to memory of 1676	2156	omsecor.exe	36
PID 2156 wrote to memory of 1676	2156	omsecor.exe	36
PID 2156 wrote to memory of 1676	2156	omsecor.exe	36
PID 2156 wrote to memory of 1676	2156	omsecor.exe	36
PID 2156 wrote to memory of 1676	2156	omsecor.exe	36
PID 2156 wrote to memory of 1676	2156	omsecor.exe	36
PID 1676 wrote to memory of 1560	1676	omsecor.exe	37
PID 1676 wrote to memory of 1560	1676	omsecor.exe	37
PID 1676 wrote to memory of 1560	1676	omsecor.exe	37
PID 1676 wrote to memory of 1560	1676	omsecor.exe	37
PID 1560 wrote to memory of 1816	1560	omsecor.exe	38
PID 1560 wrote to memory of 1816	1560	omsecor.exe	38
PID 1560 wrote to memory of 1816	1560	omsecor.exe	38
PID 1560 wrote to memory of 1816	1560	omsecor.exe	38
PID 1560 wrote to memory of 1816	1560	omsecor.exe	38
PID 1560 wrote to memory of 1816	1560	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe
"C:\Users\Admin\AppData\Local\Temp\6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe
  C:\Users\Admin\AppData\Local\Temp\6c815910bc2352561c9de71b66a89f1ece78a6807f29f2c1114abd8988231f80N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
df91a3fda4e03e2024ed0f62b34b8226

SHA1
63e7453625e1e3cd16a8586589a0d8ffe069e2ab

SHA256
abb45a8c946ad6c1cb3be0544e90febb83a1c5211e2486ae7f894500d09efc65

SHA512
fe66ce71f2ed778cf2a416892feb04d738cc7d2ad9e5ae1103e77f1dc4e2acdd31606a8a88f38db0296d85e3466082f044c06167657345629e87ba8128c595e6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
dfb27ee0e5dbd8d2997ac092b9fc7744

SHA1
3bc3b712680d305696879f4926079f918cc0e761

SHA256
7f529ddad9fc0ee79575a8701ce8b56a9d2776c41acfa520f8c6be17bb96369a

SHA512
cb97526872fcabe08004411f7f29f6ae4cd8b8754a271b2dd8e0bce63b37540d3bfd303c5dc70c32383f134e4aabd395ee1935f0d19176a11bc3c4caeb52e0a7

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
db5cc46bdc497a1346fb2d20a6c56784

SHA1
43bfbb83d94e414fe520b856043765acc212a26f

SHA256
cc6ed49fd77238b49dcf6405358eabee85080a1f1604f23ccb870d38bb2baed0

SHA512
5e33e99217b17c1c240f11dc8578ea007e5aebc2423cf27798177474410a494b5a46f049760f2b38c70edfa76a12e413777a1cc3e0ea888331ac0429d55cea24

Download Submit
memory/1560-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1668-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1668-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1668-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1668-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1668-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1676-70-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1816-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2156-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2264-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2264-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2540-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-53-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2540-52-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2540-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2992-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download