neconyd | 706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fc

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
Size

96KB
MD5

42937ce35b7658b053cf8734ece52ff0
SHA1

f888c23184de6dbcc4bbbf0e34c2b1fbc2262668
SHA256

706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fc
SHA512

6f2961584d83f371124b5983645d8fe5eeb148e3c5170c5f8506ed3b2fc28522f9ef5bbccb5274405b56d8cbf69d94ca75c05bebe9f0947d01ce04caf9e2b577
SSDEEP

1536:lnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:lGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1080	omsecor.exe
2256	omsecor.exe
2360	omsecor.exe
1772	omsecor.exe
1944	omsecor.exe
2036	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1484	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
1484	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
1080	omsecor.exe
2256	omsecor.exe
2256	omsecor.exe
1772	omsecor.exe
1772	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 1484	1320	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	31
PID 1080 set thread context of 2256	1080	omsecor.exe	33
PID 2360 set thread context of 1772	2360	omsecor.exe	37
PID 1944 set thread context of 2036	1944	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1484	1320	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	31
PID 1320 wrote to memory of 1484	1320	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	31
PID 1320 wrote to memory of 1484	1320	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	31
PID 1320 wrote to memory of 1484	1320	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	31
PID 1320 wrote to memory of 1484	1320	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	31
PID 1320 wrote to memory of 1484	1320	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	31
PID 1484 wrote to memory of 1080	1484	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	32
PID 1484 wrote to memory of 1080	1484	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	32
PID 1484 wrote to memory of 1080	1484	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	32
PID 1484 wrote to memory of 1080	1484	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	32
PID 1080 wrote to memory of 2256	1080	omsecor.exe	33
PID 1080 wrote to memory of 2256	1080	omsecor.exe	33
PID 1080 wrote to memory of 2256	1080	omsecor.exe	33
PID 1080 wrote to memory of 2256	1080	omsecor.exe	33
PID 1080 wrote to memory of 2256	1080	omsecor.exe	33
PID 1080 wrote to memory of 2256	1080	omsecor.exe	33
PID 2256 wrote to memory of 2360	2256	omsecor.exe	36
PID 2256 wrote to memory of 2360	2256	omsecor.exe	36
PID 2256 wrote to memory of 2360	2256	omsecor.exe	36
PID 2256 wrote to memory of 2360	2256	omsecor.exe	36
PID 2360 wrote to memory of 1772	2360	omsecor.exe	37
PID 2360 wrote to memory of 1772	2360	omsecor.exe	37
PID 2360 wrote to memory of 1772	2360	omsecor.exe	37
PID 2360 wrote to memory of 1772	2360	omsecor.exe	37
PID 2360 wrote to memory of 1772	2360	omsecor.exe	37
PID 2360 wrote to memory of 1772	2360	omsecor.exe	37
PID 1772 wrote to memory of 1944	1772	omsecor.exe	38
PID 1772 wrote to memory of 1944	1772	omsecor.exe	38
PID 1772 wrote to memory of 1944	1772	omsecor.exe	38
PID 1772 wrote to memory of 1944	1772	omsecor.exe	38
PID 1944 wrote to memory of 2036	1944	omsecor.exe	39
PID 1944 wrote to memory of 2036	1944	omsecor.exe	39
PID 1944 wrote to memory of 2036	1944	omsecor.exe	39
PID 1944 wrote to memory of 2036	1944	omsecor.exe	39
PID 1944 wrote to memory of 2036	1944	omsecor.exe	39
PID 1944 wrote to memory of 2036	1944	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
"C:\Users\Admin\AppData\Local\Temp\706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
  C:\Users\Admin\AppData\Local\Temp\706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
01540c75caf37226a9207f3aa3b6683c

SHA1
03dbd6aeb6768a13082290ff1b6eec78a360e7a7

SHA256
8331a0a031d974518135e87a8077ddf5e266786689b47e91a6f975857afd8358

SHA512
96b8bcf299e4f47a641737b454930aa3548a072bb80d044364d01485ec2a0f15b3db04403dc08df2f9f8fc42483edf4ae8f9a44964ed3c52a5821bdf053b5c8f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8112e31a329c1a87f97cdc89bfaf568d

SHA1
4185627603c5a8a854418cbfdf8cab20bccd14bd

SHA256
d354264806464cc25d30d74602f880fa4e733c7ed03ebcf343be23e66561cab6

SHA512
11697253266b4a8bced1f864c9debc76896c3eec25c774d7bc24aa4b08764a61f0b5541db69d2c1aaad235ec64e959995e838d553a8def68e5ec7fe54ceb7499

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
753e472822c96cb8167f1ef1642a30c4

SHA1
93870e5c86d542ca4aefde9e0e821362f1303d26

SHA256
8a42dfb36e57315343e01aad048ddcdcb6c1365f7e45dfc313aae1ada72cf69c

SHA512
d6e5f3371a7a3ea2b3a7e1a6241abd019a043711924c9c92932226995231b41602f423496c84911bf2c556ac158f5ee352fe17bc3a4e072e671dc154f7d742f5

Download Submit
memory/1080-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1080-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1080-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1320-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1320-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1484-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1484-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1484-20-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1484-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1484-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1484-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1944-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1944-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2036-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2256-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2256-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2256-49-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2256-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2256-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2256-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2360-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download