neconyd | ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
Size

134KB
MD5

50efc66dc1e46205b6a07abe4a22b288
SHA1

34c834ade74b4c8608411fff6238343e9b42e832
SHA256

ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7
SHA512

30e1cc6e1801de6545a4b3c1bb7291d93dc19063ad86ac951a5735754226ac70a1115a643604cbff1e282738f80712afd258540fa2fdd9026b5d45b51f9d3eb4
SSDEEP

1536:HDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiF:jiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2768	omsecor.exe
2108	omsecor.exe
2132	omsecor.exe
304	omsecor.exe
2348	omsecor.exe
2960	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2660	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
2660	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
2768	omsecor.exe
2108	omsecor.exe
2108	omsecor.exe
304	omsecor.exe
304	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 2660	2648	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	30
PID 2768 set thread context of 2108	2768	omsecor.exe	32
PID 2132 set thread context of 304	2132	omsecor.exe	36
PID 2348 set thread context of 2960	2348	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2660	2648	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	30
PID 2648 wrote to memory of 2660	2648	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	30
PID 2648 wrote to memory of 2660	2648	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	30
PID 2648 wrote to memory of 2660	2648	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	30
PID 2648 wrote to memory of 2660	2648	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	30
PID 2648 wrote to memory of 2660	2648	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	30
PID 2660 wrote to memory of 2768	2660	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	31
PID 2660 wrote to memory of 2768	2660	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	31
PID 2660 wrote to memory of 2768	2660	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	31
PID 2660 wrote to memory of 2768	2660	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	31
PID 2768 wrote to memory of 2108	2768	omsecor.exe	32
PID 2768 wrote to memory of 2108	2768	omsecor.exe	32
PID 2768 wrote to memory of 2108	2768	omsecor.exe	32
PID 2768 wrote to memory of 2108	2768	omsecor.exe	32
PID 2768 wrote to memory of 2108	2768	omsecor.exe	32
PID 2768 wrote to memory of 2108	2768	omsecor.exe	32
PID 2108 wrote to memory of 2132	2108	omsecor.exe	35
PID 2108 wrote to memory of 2132	2108	omsecor.exe	35
PID 2108 wrote to memory of 2132	2108	omsecor.exe	35
PID 2108 wrote to memory of 2132	2108	omsecor.exe	35
PID 2132 wrote to memory of 304	2132	omsecor.exe	36
PID 2132 wrote to memory of 304	2132	omsecor.exe	36
PID 2132 wrote to memory of 304	2132	omsecor.exe	36
PID 2132 wrote to memory of 304	2132	omsecor.exe	36
PID 2132 wrote to memory of 304	2132	omsecor.exe	36
PID 2132 wrote to memory of 304	2132	omsecor.exe	36
PID 304 wrote to memory of 2348	304	omsecor.exe	37
PID 304 wrote to memory of 2348	304	omsecor.exe	37
PID 304 wrote to memory of 2348	304	omsecor.exe	37
PID 304 wrote to memory of 2348	304	omsecor.exe	37
PID 2348 wrote to memory of 2960	2348	omsecor.exe	38
PID 2348 wrote to memory of 2960	2348	omsecor.exe	38
PID 2348 wrote to memory of 2960	2348	omsecor.exe	38
PID 2348 wrote to memory of 2960	2348	omsecor.exe	38
PID 2348 wrote to memory of 2960	2348	omsecor.exe	38
PID 2348 wrote to memory of 2960	2348	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
"C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
  C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
949e4e80a44bd6e5c00199acb81fce42

SHA1
ee52fbd0ca86ab888e58c7c82ef600b4e5ae8622

SHA256
b65db116db21735859d9f8f9b686c9ba57c1b8774d4553d34af5bc4923c31c9d

SHA512
4e0577888ffa1f91c90ae7089afc371731012c42b0970010f50673a741c118e59d66f1169f2e98a7da26840e814edbd50afbf305487483ed6c4368008104d022

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
bcdbe6a9159a20565947a1b31b3f3e7d

SHA1
769851e95085ef3b85e571d107d5a8390f045b08

SHA256
2938dc31c84631b01ef99b4291dd4754e0991384e72304d28de22ff37511c655

SHA512
5a5bfbe0d1ac039acd888764ded19e67714f90eb300d64e6396cb2bc7a8b592fc6d5548aedf169f40db6575a582f572721f788d8b9f05b31570d3e872418f11d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
dae837137ccd091caaa399a9bfa7859b

SHA1
ba33ad6f900c75921e425fd63ed16a3b00cd3513

SHA256
fac3294d77ae2ec187c80260cd9eda3a3c8de844853d59e22ed19b27d5b8c732

SHA512
7d9505b098fe6eb037a4171344826f272d11b4c7e54ea5a01ba44c9125faaf8bd6c9a7fd953714ce6e42810abbc4fcce9fea9e92984d27e128335f3edc49e154

Download Submit
memory/2108-51-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/2108-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2132-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2348-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2348-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2648-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2648-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2660-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2768-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2768-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2768-23-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download
memory/2960-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download