neconyd | 0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16d

Analysis

max time kernel
115s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
Size

134KB
MD5

cfce42e278831f3cdca01f86bc500a60
SHA1

b42ff30289417a450eba87faf37198fa733878df
SHA256

0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16d
SHA512

0880b8f2e7805e68bfa5c9276f8ce9415f2be878d64abad3c62b1552db2ccd61de493726b50e0d1b2098d814969c168cb0bbaf928609a80aeb0f5aa34a31aac0
SSDEEP

1536:kDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:6iRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2804	omsecor.exe
2756	omsecor.exe
2888	omsecor.exe
2304	omsecor.exe
376	omsecor.exe
2108	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2124	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
2124	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
2804	omsecor.exe
2756	omsecor.exe
2756	omsecor.exe
2304	omsecor.exe
2304	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 2124	2648	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	30
PID 2804 set thread context of 2756	2804	omsecor.exe	32
PID 2888 set thread context of 2304	2888	omsecor.exe	35
PID 376 set thread context of 2108	376	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2124	2648	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	30
PID 2648 wrote to memory of 2124	2648	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	30
PID 2648 wrote to memory of 2124	2648	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	30
PID 2648 wrote to memory of 2124	2648	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	30
PID 2648 wrote to memory of 2124	2648	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	30
PID 2648 wrote to memory of 2124	2648	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	30
PID 2124 wrote to memory of 2804	2124	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	31
PID 2124 wrote to memory of 2804	2124	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	31
PID 2124 wrote to memory of 2804	2124	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	31
PID 2124 wrote to memory of 2804	2124	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	31
PID 2804 wrote to memory of 2756	2804	omsecor.exe	32
PID 2804 wrote to memory of 2756	2804	omsecor.exe	32
PID 2804 wrote to memory of 2756	2804	omsecor.exe	32
PID 2804 wrote to memory of 2756	2804	omsecor.exe	32
PID 2804 wrote to memory of 2756	2804	omsecor.exe	32
PID 2804 wrote to memory of 2756	2804	omsecor.exe	32
PID 2756 wrote to memory of 2888	2756	omsecor.exe	34
PID 2756 wrote to memory of 2888	2756	omsecor.exe	34
PID 2756 wrote to memory of 2888	2756	omsecor.exe	34
PID 2756 wrote to memory of 2888	2756	omsecor.exe	34
PID 2888 wrote to memory of 2304	2888	omsecor.exe	35
PID 2888 wrote to memory of 2304	2888	omsecor.exe	35
PID 2888 wrote to memory of 2304	2888	omsecor.exe	35
PID 2888 wrote to memory of 2304	2888	omsecor.exe	35
PID 2888 wrote to memory of 2304	2888	omsecor.exe	35
PID 2888 wrote to memory of 2304	2888	omsecor.exe	35
PID 2304 wrote to memory of 376	2304	omsecor.exe	36
PID 2304 wrote to memory of 376	2304	omsecor.exe	36
PID 2304 wrote to memory of 376	2304	omsecor.exe	36
PID 2304 wrote to memory of 376	2304	omsecor.exe	36
PID 376 wrote to memory of 2108	376	omsecor.exe	37
PID 376 wrote to memory of 2108	376	omsecor.exe	37
PID 376 wrote to memory of 2108	376	omsecor.exe	37
PID 376 wrote to memory of 2108	376	omsecor.exe	37
PID 376 wrote to memory of 2108	376	omsecor.exe	37
PID 376 wrote to memory of 2108	376	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
"C:\Users\Admin\AppData\Local\Temp\0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
  C:\Users\Admin\AppData\Local\Temp\0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
6a26bb28d5ab9e50788f001ac365926e

SHA1
b509b8b2f26db188d26fdfc248c160b06c1ce9d5

SHA256
d7c2057eeffd04a2c8f8f03e6dab957bbe9801cf30a478aaa057ba7c7644c117

SHA512
7eaaa0fb0c974b09dd143c36bf610a268e0cb5a20a6289eab9e116e6746e839cf93deaf7a60df8a65fff792eb645de8fb0cb7c1582e6a9f492cfcf7913f86286

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
fdebb57156c0828d5487ffb9f7c49f46

SHA1
9d5e9223baef5b9dba2e653a1f4bd97ed46b6aeb

SHA256
9e2db712645995dd9573ab0e73be604066782e3ae994b5da9001124abf552522

SHA512
286e045e4cd3db75250e0172ed086dd1e1972a42a0f01bb18bbe0118d99e64235b39fd39b7d358e1ef9e077854af84029d686b5e071f293912d23db2811f7403

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
60baa41e6e70924d74203d2a211de173

SHA1
9e81490530b55d3a026a3c8247f019eb62388a5a

SHA256
088dcfb108ab5ef2138f91e3c946ec25ab7a2bb3736ebfc202727aee7e117fc8

SHA512
f61089b3eed87aa0c689cf6af5d9eb0be7ae5b63f29d1444b398db466af0b91b9c36f0f164e122db8b5ff5c5b8bb1e1e0e0ac86fcb7cc5ac266c61d31c182cee

Download Submit
memory/376-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/376-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2108-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-14-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/2124-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2124-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2648-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2648-1-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2648-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2756-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-46-0x0000000000470000-0x0000000000494000-memory.dmp

Filesize
144KB

Download
memory/2756-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-54-0x0000000000470000-0x0000000000494000-memory.dmp

Filesize
144KB

Download
memory/2756-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2804-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2804-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2888-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download