neconyd | a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1c

Analysis

max time kernel
114s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe
Size

96KB
MD5

29807b887ed6d3269d66270ffe028030
SHA1

2f02bbff135c5a402618b7c25f377f7bd7ceca3e
SHA256

a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1c
SHA512

9187b1944d2e8a92610519acb62e58eb693b04d346e29e8875c7155230e81abbd84189c7f59275b177208ba97ac84ad20ee55672dc015cf6fd40a92da6673db0
SSDEEP

1536:WnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:WGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2016	omsecor.exe
1624	omsecor.exe
2244	omsecor.exe
1772	omsecor.exe
1748	omsecor.exe
1928	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2900	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe
2900	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe
2016	omsecor.exe
1624	omsecor.exe
1624	omsecor.exe
1772	omsecor.exe
1772	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 2900	2288	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe	28
PID 2016 set thread context of 1624	2016	omsecor.exe	30
PID 2244 set thread context of 1772	2244	omsecor.exe	35
PID 1748 set thread context of 1928	1748	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2900	2288	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe	28
PID 2288 wrote to memory of 2900	2288	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe	28
PID 2288 wrote to memory of 2900	2288	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe	28
PID 2288 wrote to memory of 2900	2288	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe	28
PID 2288 wrote to memory of 2900	2288	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe	28
PID 2288 wrote to memory of 2900	2288	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe	28
PID 2900 wrote to memory of 2016	2900	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe	29
PID 2900 wrote to memory of 2016	2900	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe	29
PID 2900 wrote to memory of 2016	2900	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe	29
PID 2900 wrote to memory of 2016	2900	a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe	29
PID 2016 wrote to memory of 1624	2016	omsecor.exe	30
PID 2016 wrote to memory of 1624	2016	omsecor.exe	30
PID 2016 wrote to memory of 1624	2016	omsecor.exe	30
PID 2016 wrote to memory of 1624	2016	omsecor.exe	30
PID 2016 wrote to memory of 1624	2016	omsecor.exe	30
PID 2016 wrote to memory of 1624	2016	omsecor.exe	30
PID 1624 wrote to memory of 2244	1624	omsecor.exe	34
PID 1624 wrote to memory of 2244	1624	omsecor.exe	34
PID 1624 wrote to memory of 2244	1624	omsecor.exe	34
PID 1624 wrote to memory of 2244	1624	omsecor.exe	34
PID 2244 wrote to memory of 1772	2244	omsecor.exe	35
PID 2244 wrote to memory of 1772	2244	omsecor.exe	35
PID 2244 wrote to memory of 1772	2244	omsecor.exe	35
PID 2244 wrote to memory of 1772	2244	omsecor.exe	35
PID 2244 wrote to memory of 1772	2244	omsecor.exe	35
PID 2244 wrote to memory of 1772	2244	omsecor.exe	35
PID 1772 wrote to memory of 1748	1772	omsecor.exe	36
PID 1772 wrote to memory of 1748	1772	omsecor.exe	36
PID 1772 wrote to memory of 1748	1772	omsecor.exe	36
PID 1772 wrote to memory of 1748	1772	omsecor.exe	36
PID 1748 wrote to memory of 1928	1748	omsecor.exe	37
PID 1748 wrote to memory of 1928	1748	omsecor.exe	37
PID 1748 wrote to memory of 1928	1748	omsecor.exe	37
PID 1748 wrote to memory of 1928	1748	omsecor.exe	37
PID 1748 wrote to memory of 1928	1748	omsecor.exe	37
PID 1748 wrote to memory of 1928	1748	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe
"C:\Users\Admin\AppData\Local\Temp\a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe
  C:\Users\Admin\AppData\Local\Temp\a2a9bc05a17f1cdce623b4003140876adccd3b7168b83b8ea9865ed792b74b1cN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ead3874f17f01d467ec67c01dd747811

SHA1
61223b4ba55cc5c13bc8964b027a07cde87e53d1

SHA256
0fcdaf7ae4eec2c071783448268d221f3fc194cd121a3449025944f0598ca532

SHA512
2026160f2991ce06e31bece082831e96256ca6266bf5a9c17e3ca1b0e10d2ba1d2375ae4c05d2650cd0c8d43762d7a6064b132f31b5e1353b9ccc73ee5f0bce0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
3ff3454341ce0285b23f79207c5df2e8

SHA1
5b2dce58263997b119699160058c8d8c59a5a559

SHA256
b86594dc3e01807836fb2300a9e5dfa31ce3c82ffd2aba902f779cbc1cb9ea1d

SHA512
824f73d165c308562bf2d2a74b1b38a5e5f27ee7e9dc996c0119b2887cd836a71e12aa747524f567390e560f749096c4ee9b96ad84ccf1a5f52b141bc0120f26

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f8c33d7af451a837c5dd559389f9b849

SHA1
096dcfa7040b4fc3c40ac66d95de5ed3ab3d363b

SHA256
6b16646e824197e8da9d53fb38247e1e5110a6089e99a8f8648a8ba1549e5016

SHA512
8360c447abe9e9d57e1b77494151d112ad160c63d2929bfd8e854380c8f25870c853038d7a5ba814389f10a3e4f37c177fa393c7894de05a33e6d4166e37f374

Download Submit
memory/1624-48-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/1624-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1624-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1624-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1624-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1624-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1748-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1748-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1928-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2016-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2016-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2244-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2288-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2288-1-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2288-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2900-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download