neconyd | 35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7

Analysis

max time kernel
115s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe
Size

96KB
MD5

dc7b5a6970fe25bf8c35b5a2272eb185
SHA1

377eee11a6e2edddffad09045bc0e9c8bde897ed
SHA256

35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7
SHA512

5146149efc2fab9810b074781c1bc16a7e1ae549ba7a9dd7e10de7376ec556661615ddc1554f91e80e02635645c415b8c8dcaacf74885d3937dc4b9c23032507
SSDEEP

1536:FnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:FGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2152	omsecor.exe
2292	omsecor.exe
1848	omsecor.exe
1116	omsecor.exe
1816	omsecor.exe
1556	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2544	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe
2544	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe
2152	omsecor.exe
2292	omsecor.exe
2292	omsecor.exe
1116	omsecor.exe
1116	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 2544	2352	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe	30
PID 2152 set thread context of 2292	2152	omsecor.exe	32
PID 1848 set thread context of 1116	1848	omsecor.exe	36
PID 1816 set thread context of 1556	1816	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2544	2352	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe	30
PID 2352 wrote to memory of 2544	2352	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe	30
PID 2352 wrote to memory of 2544	2352	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe	30
PID 2352 wrote to memory of 2544	2352	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe	30
PID 2352 wrote to memory of 2544	2352	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe	30
PID 2352 wrote to memory of 2544	2352	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe	30
PID 2544 wrote to memory of 2152	2544	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe	31
PID 2544 wrote to memory of 2152	2544	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe	31
PID 2544 wrote to memory of 2152	2544	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe	31
PID 2544 wrote to memory of 2152	2544	35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe	31
PID 2152 wrote to memory of 2292	2152	omsecor.exe	32
PID 2152 wrote to memory of 2292	2152	omsecor.exe	32
PID 2152 wrote to memory of 2292	2152	omsecor.exe	32
PID 2152 wrote to memory of 2292	2152	omsecor.exe	32
PID 2152 wrote to memory of 2292	2152	omsecor.exe	32
PID 2152 wrote to memory of 2292	2152	omsecor.exe	32
PID 2292 wrote to memory of 1848	2292	omsecor.exe	35
PID 2292 wrote to memory of 1848	2292	omsecor.exe	35
PID 2292 wrote to memory of 1848	2292	omsecor.exe	35
PID 2292 wrote to memory of 1848	2292	omsecor.exe	35
PID 1848 wrote to memory of 1116	1848	omsecor.exe	36
PID 1848 wrote to memory of 1116	1848	omsecor.exe	36
PID 1848 wrote to memory of 1116	1848	omsecor.exe	36
PID 1848 wrote to memory of 1116	1848	omsecor.exe	36
PID 1848 wrote to memory of 1116	1848	omsecor.exe	36
PID 1848 wrote to memory of 1116	1848	omsecor.exe	36
PID 1116 wrote to memory of 1816	1116	omsecor.exe	37
PID 1116 wrote to memory of 1816	1116	omsecor.exe	37
PID 1116 wrote to memory of 1816	1116	omsecor.exe	37
PID 1116 wrote to memory of 1816	1116	omsecor.exe	37
PID 1816 wrote to memory of 1556	1816	omsecor.exe	38
PID 1816 wrote to memory of 1556	1816	omsecor.exe	38
PID 1816 wrote to memory of 1556	1816	omsecor.exe	38
PID 1816 wrote to memory of 1556	1816	omsecor.exe	38
PID 1816 wrote to memory of 1556	1816	omsecor.exe	38
PID 1816 wrote to memory of 1556	1816	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe
"C:\Users\Admin\AppData\Local\Temp\35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe
  C:\Users\Admin\AppData\Local\Temp\35daebc18d2dfcdab4860b6a46e77543a6dbc15266cbce56f1eddd0d9cf92ba7.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
00e20f754c6e1a3028628f436532235e

SHA1
91bf9e3e79c0736f71101d08dbefd92becd8315b

SHA256
d0c57f5b914dad08da2679da1a3c4400acbb270c59cc931c7a59dc9bead8a873

SHA512
d5920531370d186b82f0eb9cefc82c0594cac4cd72c052a480edd4adf1e93fada5a02c13147fecfeb90d442c47bc3fd858b8139bc9216c2f4031a46bc118b5bf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e7cc8e69e77deba0f85b3aca9ead52a4

SHA1
0c50681b1d54d0d2f4111e986ca2686e6428e416

SHA256
6f93fb3f62297b23e6534f12c1224a8d0daffafc2bc3d61d608344df87e7a919

SHA512
728167b4f069649bc4198e82ac37a6e40f2404c7a64196914d2125cbce852ef0137fe653952255c838f015677cc93768a6b9f8c55cb2b9936060dcf5a7bd136e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
63a9cfc55d70ac7e0574d4e769d7c6a2

SHA1
9854fc234400054ca88540742b10d9302fcdce30

SHA256
e4d738d622e658beeaab163fb202159c5ad66af26530053cbe58e6a0c61f8b5e

SHA512
9f3b669aef167ba3dc124cff932b76a3fd3eee72dacbda4e795e3b814968c9c8f37ecea95d8cb7b9499177b987b4896162ffbf86466b13602d8851634cfc4a4b

Download Submit
memory/1556-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1816-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1816-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1848-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1848-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2152-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2152-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2152-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2292-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-54-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2292-55-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2352-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2352-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2544-20-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2544-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2544-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2544-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2544-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download