neconyd | c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe
Size

96KB
MD5

7c9673f460d47c60a428b24e95da3234
SHA1

db93ad32c3a13eaa5125883eba263c92e2ec9860
SHA256

c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43
SHA512

34d78af9ae82942af4423b61b8ed662c14b6eb4d1af71cbf00ecdf00aa544f7d82a4466c601a75bcdd471f402138477f7b1b4c439a4a27410cddba6d08c8b90f
SSDEEP

1536:dnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:dGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1496	omsecor.exe
2332	omsecor.exe
2064	omsecor.exe
1124	omsecor.exe
628	omsecor.exe
2948	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2560	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe
2560	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe
1496	omsecor.exe
2332	omsecor.exe
2332	omsecor.exe
1124	omsecor.exe
1124	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 2560	1908	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe	30
PID 1496 set thread context of 2332	1496	omsecor.exe	32
PID 2064 set thread context of 1124	2064	omsecor.exe	36
PID 628 set thread context of 2948	628	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2560	1908	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe	30
PID 1908 wrote to memory of 2560	1908	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe	30
PID 1908 wrote to memory of 2560	1908	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe	30
PID 1908 wrote to memory of 2560	1908	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe	30
PID 1908 wrote to memory of 2560	1908	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe	30
PID 1908 wrote to memory of 2560	1908	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe	30
PID 2560 wrote to memory of 1496	2560	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe	31
PID 2560 wrote to memory of 1496	2560	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe	31
PID 2560 wrote to memory of 1496	2560	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe	31
PID 2560 wrote to memory of 1496	2560	c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe	31
PID 1496 wrote to memory of 2332	1496	omsecor.exe	32
PID 1496 wrote to memory of 2332	1496	omsecor.exe	32
PID 1496 wrote to memory of 2332	1496	omsecor.exe	32
PID 1496 wrote to memory of 2332	1496	omsecor.exe	32
PID 1496 wrote to memory of 2332	1496	omsecor.exe	32
PID 1496 wrote to memory of 2332	1496	omsecor.exe	32
PID 2332 wrote to memory of 2064	2332	omsecor.exe	35
PID 2332 wrote to memory of 2064	2332	omsecor.exe	35
PID 2332 wrote to memory of 2064	2332	omsecor.exe	35
PID 2332 wrote to memory of 2064	2332	omsecor.exe	35
PID 2064 wrote to memory of 1124	2064	omsecor.exe	36
PID 2064 wrote to memory of 1124	2064	omsecor.exe	36
PID 2064 wrote to memory of 1124	2064	omsecor.exe	36
PID 2064 wrote to memory of 1124	2064	omsecor.exe	36
PID 2064 wrote to memory of 1124	2064	omsecor.exe	36
PID 2064 wrote to memory of 1124	2064	omsecor.exe	36
PID 1124 wrote to memory of 628	1124	omsecor.exe	37
PID 1124 wrote to memory of 628	1124	omsecor.exe	37
PID 1124 wrote to memory of 628	1124	omsecor.exe	37
PID 1124 wrote to memory of 628	1124	omsecor.exe	37
PID 628 wrote to memory of 2948	628	omsecor.exe	38
PID 628 wrote to memory of 2948	628	omsecor.exe	38
PID 628 wrote to memory of 2948	628	omsecor.exe	38
PID 628 wrote to memory of 2948	628	omsecor.exe	38
PID 628 wrote to memory of 2948	628	omsecor.exe	38
PID 628 wrote to memory of 2948	628	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe
"C:\Users\Admin\AppData\Local\Temp\c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe
  C:\Users\Admin\AppData\Local\Temp\c02e508952d9104df5ffa75078754ef36be4a8806aacc0e6c0d5d7b09b5c0a43.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d08e1990f58a9219c2f51359410dfbe9

SHA1
f73718d2c152301446b872b48ef107bff04c6cdb

SHA256
11d44cb716739ca0a673dede2ece15e158ca96b4e1718d6f5be8638df8c7a61c

SHA512
ac235b81a67bd101499daac8603a96054966131ab38743e3d11cbd10255209156d9f7ad82f036bec8be394a460207b815eaadfd3b2087754751fce6e5a01413e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
56c8e8cca945d5c91b95a0278ceca1a3

SHA1
b4f66b84b8180027a7e0c2c87c5b88dc94545d4c

SHA256
1f577d272f6a5489d45752fe112bba83916e9a98d803ac0cfe115ed2f2374d92

SHA512
1a6ae26f6dfe2c818c6fcb94f93a3993345698e79d2fc715606a612e350a346eeb6e2d3e115bff7e95895a1b568dd904072166eae4dde7495d08781244f8f804

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
13af36431518d9cda9a66439276ce39b

SHA1
b20cab09cc46fbe41de2b077a985c415f0f3d169

SHA256
9e443a0d90f949245bc1404a4426bfbd72dc2308be652d02a942aa6d4209eee5

SHA512
5f890a34916709801a4584c96f92e4904c991541559c3da45ddf9694b056faa0d9f3f2e20f3d8e167155080b97ee3bccf05fa7acfcdd16fba14b701d0db49a6a

Download Submit
memory/628-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/628-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1124-70-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1496-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1908-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1908-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2332-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-47-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/2560-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-20-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2560-13-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2560-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2948-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2948-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download