neconyd | 44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe
Size

96KB
MD5

3f1bd47cf849006f14844a2e79352954
SHA1

b186553da22bd16e8ff4d72743d8533cfe9667dd
SHA256

44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17
SHA512

baf93d533d0c680620d665fdf1b6e16770b6273709d71c4ca4a2c6132d2d18aec12db1a6a93fbac3c5b0b9fbd53ad39113cb889de090706acb969ac695d11d42
SSDEEP

1536:lnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxD:lGs8cd8eXlYairZYqMddH13D

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2316	omsecor.exe
2992	omsecor.exe
2600	omsecor.exe
1352	omsecor.exe
2888	omsecor.exe
2356	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1548	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe
1548	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe
2316	omsecor.exe
2992	omsecor.exe
2992	omsecor.exe
1352	omsecor.exe
1352	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 1548	2332	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe	31
PID 2316 set thread context of 2992	2316	omsecor.exe	33
PID 2600 set thread context of 1352	2600	omsecor.exe	37
PID 2888 set thread context of 2356	2888	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1548	2332	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe	31
PID 2332 wrote to memory of 1548	2332	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe	31
PID 2332 wrote to memory of 1548	2332	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe	31
PID 2332 wrote to memory of 1548	2332	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe	31
PID 2332 wrote to memory of 1548	2332	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe	31
PID 2332 wrote to memory of 1548	2332	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe	31
PID 1548 wrote to memory of 2316	1548	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe	32
PID 1548 wrote to memory of 2316	1548	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe	32
PID 1548 wrote to memory of 2316	1548	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe	32
PID 1548 wrote to memory of 2316	1548	44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe	32
PID 2316 wrote to memory of 2992	2316	omsecor.exe	33
PID 2316 wrote to memory of 2992	2316	omsecor.exe	33
PID 2316 wrote to memory of 2992	2316	omsecor.exe	33
PID 2316 wrote to memory of 2992	2316	omsecor.exe	33
PID 2316 wrote to memory of 2992	2316	omsecor.exe	33
PID 2316 wrote to memory of 2992	2316	omsecor.exe	33
PID 2992 wrote to memory of 2600	2992	omsecor.exe	36
PID 2992 wrote to memory of 2600	2992	omsecor.exe	36
PID 2992 wrote to memory of 2600	2992	omsecor.exe	36
PID 2992 wrote to memory of 2600	2992	omsecor.exe	36
PID 2600 wrote to memory of 1352	2600	omsecor.exe	37
PID 2600 wrote to memory of 1352	2600	omsecor.exe	37
PID 2600 wrote to memory of 1352	2600	omsecor.exe	37
PID 2600 wrote to memory of 1352	2600	omsecor.exe	37
PID 2600 wrote to memory of 1352	2600	omsecor.exe	37
PID 2600 wrote to memory of 1352	2600	omsecor.exe	37
PID 1352 wrote to memory of 2888	1352	omsecor.exe	38
PID 1352 wrote to memory of 2888	1352	omsecor.exe	38
PID 1352 wrote to memory of 2888	1352	omsecor.exe	38
PID 1352 wrote to memory of 2888	1352	omsecor.exe	38
PID 2888 wrote to memory of 2356	2888	omsecor.exe	39
PID 2888 wrote to memory of 2356	2888	omsecor.exe	39
PID 2888 wrote to memory of 2356	2888	omsecor.exe	39
PID 2888 wrote to memory of 2356	2888	omsecor.exe	39
PID 2888 wrote to memory of 2356	2888	omsecor.exe	39
PID 2888 wrote to memory of 2356	2888	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe
"C:\Users\Admin\AppData\Local\Temp\44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe
  C:\Users\Admin\AppData\Local\Temp\44069e8ca902004647f0f557a92a4d273e6942ecc88f9b44687c2e8a9cb2ec17.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
897654eac308bec4516a039c591b1681

SHA1
e0d5e9b26c3ad2cc3521b26271eee3ba1c97a6c9

SHA256
ac44f5469d7faaf4ea80b60b7662ac6b3990df9bacae7743376f7de712f5f85a

SHA512
cd213fbe46bdedc96e95e9bfd42eeba72a18da8bd3b84159e49e7948f0185d6d593e625c70880884634becb74db0253de28f6ff0c6dba18c1b02e2c077ccb1dc

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
18d005da7597701f7b4a42acfe12aa49

SHA1
7f7f60068a534b798c0ab345d814b77ecf235a90

SHA256
c9ee0715b1470a6352d8c911d58430fd845526ebe742168ef9cc54602319b69d

SHA512
9af69fe803070621a691e2e4fa0eb1036ccc68291b9fc85fb51246b8c3e359ed17a40642a9237c480d4027e583e3d91d819631ef56e32b44e6ac0edfa0125a89

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f21a6f9a79e5c5c3bdcfdd49f1c5969c

SHA1
020554072a557e9d8cd46d4ba2cb61b87f993cf0

SHA256
1e4c63149ef5cf223b3e19ac50f4f2074effcdcbf5b56a6790c8bfab37d7e27a

SHA512
69b3f4efacd6879df4ebe651e884e4a0bc7821805df2514177018111c3acdef5d1b58d92541df858f8f78843fe256bf3508e70ca924d25bf202c17f8cf376570

Download Submit
memory/1352-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1548-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2316-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2316-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2316-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2332-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2332-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2356-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2600-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2600-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2888-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2888-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2992-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-53-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2992-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-54-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2992-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download