neconyd | ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
Size

134KB
MD5

50efc66dc1e46205b6a07abe4a22b288
SHA1

34c834ade74b4c8608411fff6238343e9b42e832
SHA256

ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7
SHA512

30e1cc6e1801de6545a4b3c1bb7291d93dc19063ad86ac951a5735754226ac70a1115a643604cbff1e282738f80712afd258540fa2fdd9026b5d45b51f9d3eb4
SSDEEP

1536:HDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiF:jiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2228	omsecor.exe
2280	omsecor.exe
1744	omsecor.exe
1916	omsecor.exe
308	omsecor.exe
1088	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3028	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
3028	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
2228	omsecor.exe
2280	omsecor.exe
2280	omsecor.exe
1916	omsecor.exe
1916	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 3028	2900	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	28
PID 2228 set thread context of 2280	2228	omsecor.exe	30
PID 1744 set thread context of 1916	1744	omsecor.exe	35
PID 308 set thread context of 1088	308	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 3028	2900	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	28
PID 2900 wrote to memory of 3028	2900	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	28
PID 2900 wrote to memory of 3028	2900	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	28
PID 2900 wrote to memory of 3028	2900	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	28
PID 2900 wrote to memory of 3028	2900	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	28
PID 2900 wrote to memory of 3028	2900	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	28
PID 3028 wrote to memory of 2228	3028	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	29
PID 3028 wrote to memory of 2228	3028	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	29
PID 3028 wrote to memory of 2228	3028	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	29
PID 3028 wrote to memory of 2228	3028	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	29
PID 2228 wrote to memory of 2280	2228	omsecor.exe	30
PID 2228 wrote to memory of 2280	2228	omsecor.exe	30
PID 2228 wrote to memory of 2280	2228	omsecor.exe	30
PID 2228 wrote to memory of 2280	2228	omsecor.exe	30
PID 2228 wrote to memory of 2280	2228	omsecor.exe	30
PID 2228 wrote to memory of 2280	2228	omsecor.exe	30
PID 2280 wrote to memory of 1744	2280	omsecor.exe	34
PID 2280 wrote to memory of 1744	2280	omsecor.exe	34
PID 2280 wrote to memory of 1744	2280	omsecor.exe	34
PID 2280 wrote to memory of 1744	2280	omsecor.exe	34
PID 1744 wrote to memory of 1916	1744	omsecor.exe	35
PID 1744 wrote to memory of 1916	1744	omsecor.exe	35
PID 1744 wrote to memory of 1916	1744	omsecor.exe	35
PID 1744 wrote to memory of 1916	1744	omsecor.exe	35
PID 1744 wrote to memory of 1916	1744	omsecor.exe	35
PID 1744 wrote to memory of 1916	1744	omsecor.exe	35
PID 1916 wrote to memory of 308	1916	omsecor.exe	36
PID 1916 wrote to memory of 308	1916	omsecor.exe	36
PID 1916 wrote to memory of 308	1916	omsecor.exe	36
PID 1916 wrote to memory of 308	1916	omsecor.exe	36
PID 308 wrote to memory of 1088	308	omsecor.exe	37
PID 308 wrote to memory of 1088	308	omsecor.exe	37
PID 308 wrote to memory of 1088	308	omsecor.exe	37
PID 308 wrote to memory of 1088	308	omsecor.exe	37
PID 308 wrote to memory of 1088	308	omsecor.exe	37
PID 308 wrote to memory of 1088	308	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
"C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
  C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
949e4e80a44bd6e5c00199acb81fce42

SHA1
ee52fbd0ca86ab888e58c7c82ef600b4e5ae8622

SHA256
b65db116db21735859d9f8f9b686c9ba57c1b8774d4553d34af5bc4923c31c9d

SHA512
4e0577888ffa1f91c90ae7089afc371731012c42b0970010f50673a741c118e59d66f1169f2e98a7da26840e814edbd50afbf305487483ed6c4368008104d022

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d6d67c9bfdfb68813f26eed69ebcd8bc

SHA1
f594749046341c256f5a1945c6b6bd458fa081d9

SHA256
b072c822c2e5b905c3060533c30ffc82520744231f22eadc62b6dbf6e1daab4b

SHA512
a3fe89803a2ecc465049cc74fbfdd677a750923417410fe11ff76b3fc8395c6259a44cd4aa361d80a12053d6039ee4b0b5975bbcf513d5fccf75954cff00b702

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
6c263176d73690cb159de8c5124c5398

SHA1
5a4297795cf17ab97efbf2d1a42a687a8e47aeb3

SHA256
3c999a381dbe0f4e802e70c5ba1e2ac382566b3f56760e69629f45cb50e323e2

SHA512
e0d2ad433fe338afe7be6ab694d090b6c3b3ff1db6cacd1e3014c79fe100bdf872133cf7f956729b0e73954d8cd408c299a933265539f4be8ce6a4a45bce4037

Download Submit
memory/308-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/308-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1088-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1088-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1744-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2228-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2228-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2280-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2280-57-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/2280-47-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/2280-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2280-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2280-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2280-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-34-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2900-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2900-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3028-17-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/3028-20-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/3028-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3028-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3028-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3028-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3028-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download