neconyd | 5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe
Size

134KB
MD5

74d65e56dfa0dae94994c69487b7318d
SHA1

b5986171aed86cdbae59169dc2fdb06a3f84d424
SHA256

5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933
SHA512

2b711a6548adcbc25c1646f916f6a03b7283ed91e82380efefd38e24ab5282513543e7bf5bff16da40c92acaa4d0f25dcf1e05211977224e99beea815c25e01e
SSDEEP

1536:kDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi1:6iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1996	omsecor.exe
2704	omsecor.exe
2976	omsecor.exe
1656	omsecor.exe
2136	omsecor.exe
264	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1312	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe
1312	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe
1996	omsecor.exe
2704	omsecor.exe
2704	omsecor.exe
1656	omsecor.exe
1656	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 1312	2408	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe	30
PID 1996 set thread context of 2704	1996	omsecor.exe	32
PID 2976 set thread context of 1656	2976	omsecor.exe	36
PID 2136 set thread context of 264	2136	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1312	2408	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe	30
PID 2408 wrote to memory of 1312	2408	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe	30
PID 2408 wrote to memory of 1312	2408	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe	30
PID 2408 wrote to memory of 1312	2408	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe	30
PID 2408 wrote to memory of 1312	2408	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe	30
PID 2408 wrote to memory of 1312	2408	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe	30
PID 1312 wrote to memory of 1996	1312	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe	31
PID 1312 wrote to memory of 1996	1312	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe	31
PID 1312 wrote to memory of 1996	1312	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe	31
PID 1312 wrote to memory of 1996	1312	5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe	31
PID 1996 wrote to memory of 2704	1996	omsecor.exe	32
PID 1996 wrote to memory of 2704	1996	omsecor.exe	32
PID 1996 wrote to memory of 2704	1996	omsecor.exe	32
PID 1996 wrote to memory of 2704	1996	omsecor.exe	32
PID 1996 wrote to memory of 2704	1996	omsecor.exe	32
PID 1996 wrote to memory of 2704	1996	omsecor.exe	32
PID 2704 wrote to memory of 2976	2704	omsecor.exe	35
PID 2704 wrote to memory of 2976	2704	omsecor.exe	35
PID 2704 wrote to memory of 2976	2704	omsecor.exe	35
PID 2704 wrote to memory of 2976	2704	omsecor.exe	35
PID 2976 wrote to memory of 1656	2976	omsecor.exe	36
PID 2976 wrote to memory of 1656	2976	omsecor.exe	36
PID 2976 wrote to memory of 1656	2976	omsecor.exe	36
PID 2976 wrote to memory of 1656	2976	omsecor.exe	36
PID 2976 wrote to memory of 1656	2976	omsecor.exe	36
PID 2976 wrote to memory of 1656	2976	omsecor.exe	36
PID 1656 wrote to memory of 2136	1656	omsecor.exe	37
PID 1656 wrote to memory of 2136	1656	omsecor.exe	37
PID 1656 wrote to memory of 2136	1656	omsecor.exe	37
PID 1656 wrote to memory of 2136	1656	omsecor.exe	37
PID 2136 wrote to memory of 264	2136	omsecor.exe	38
PID 2136 wrote to memory of 264	2136	omsecor.exe	38
PID 2136 wrote to memory of 264	2136	omsecor.exe	38
PID 2136 wrote to memory of 264	2136	omsecor.exe	38
PID 2136 wrote to memory of 264	2136	omsecor.exe	38
PID 2136 wrote to memory of 264	2136	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe
"C:\Users\Admin\AppData\Local\Temp\5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe
  C:\Users\Admin\AppData\Local\Temp\5cdb13bab77a57029ce7ec4ca3cfaf72ae9a2c26907536ef7826ad1d1a94d933.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
55c063f712df47757f9feefef511113c

SHA1
249359dd4368627b23eb99a64f0530cdc3ec3640

SHA256
c068374bd7c4b87f9055287d9be9de7553bed7b8fedf58c5e6a377e2c5be7957

SHA512
4646a8603aff7e15c1445f50c6118306d1d5546287f85e635128ba6b6fc790cd348a0714eb2020e1ad1e5323b44193eabfbb42557515b5f104e7ea32950333ed

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
3d0d42d23829996626feb75f9fa63db9

SHA1
694b671fbfb7b12a6fc104ab81e7b62d7ecafc02

SHA256
6857a7ac54b863ff0faafe8c6142ba820485f528c2b965ca0d550903cc57310b

SHA512
f29b9e96b6a7e94307e404058f2a596e0c0da3106720250f562f0ba00f47a7dafccb1ce1c0a73545f0359b52fa4856ae785b1587b27236cfab4486163d44092c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
e08f0251e0643920500e8b04548d36b6

SHA1
bf020c10639bd886da8d65dbb72758755c74aaee

SHA256
32aae733483e0ff2a4c8ee0769b3301d5ba0fceef345f803840d97694f40ef36

SHA512
877288506ce3b37cab5b8938ccaaff92bddea031a6720ff7db4e71076141c249aaa830b31f9c23de6511b94a1c6d5af8f8cc06271abfced821fe92c7843385fd

Download Submit
memory/264-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1312-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1312-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1312-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1312-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1312-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1656-69-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1996-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1996-29-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1996-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2136-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2408-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2408-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2408-6-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/2704-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-46-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/2704-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2976-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download