neconyd | 17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
Size

96KB
MD5

32686f40eab1e6acfa80d4445faef879
SHA1

87c90e4237a46b7fece4b1a1f53213d2b337e0d3
SHA256

17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90
SHA512

2dfee0aa179135e42a7bfc61a69adef1ccaa08ee6f5210f4b5691fff377ac9ea015d1377f576b1034777d78a013ef51457ffdaddc4b5854b7764882d562bdf36
SSDEEP

1536:BnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:BGs8cd8eXlYairZYqMddH13R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2376	omsecor.exe
2316	omsecor.exe
1696	omsecor.exe
1936	omsecor.exe
1712	omsecor.exe
2084	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1880	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
1880	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
2376	omsecor.exe
2316	omsecor.exe
2316	omsecor.exe
1936	omsecor.exe
1936	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 1880	2448	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	30
PID 2376 set thread context of 2316	2376	omsecor.exe	32
PID 1696 set thread context of 1936	1696	omsecor.exe	36
PID 1712 set thread context of 2084	1712	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 1880	2448	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	30
PID 2448 wrote to memory of 1880	2448	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	30
PID 2448 wrote to memory of 1880	2448	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	30
PID 2448 wrote to memory of 1880	2448	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	30
PID 2448 wrote to memory of 1880	2448	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	30
PID 2448 wrote to memory of 1880	2448	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	30
PID 1880 wrote to memory of 2376	1880	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	31
PID 1880 wrote to memory of 2376	1880	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	31
PID 1880 wrote to memory of 2376	1880	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	31
PID 1880 wrote to memory of 2376	1880	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	31
PID 2376 wrote to memory of 2316	2376	omsecor.exe	32
PID 2376 wrote to memory of 2316	2376	omsecor.exe	32
PID 2376 wrote to memory of 2316	2376	omsecor.exe	32
PID 2376 wrote to memory of 2316	2376	omsecor.exe	32
PID 2376 wrote to memory of 2316	2376	omsecor.exe	32
PID 2376 wrote to memory of 2316	2376	omsecor.exe	32
PID 2316 wrote to memory of 1696	2316	omsecor.exe	35
PID 2316 wrote to memory of 1696	2316	omsecor.exe	35
PID 2316 wrote to memory of 1696	2316	omsecor.exe	35
PID 2316 wrote to memory of 1696	2316	omsecor.exe	35
PID 1696 wrote to memory of 1936	1696	omsecor.exe	36
PID 1696 wrote to memory of 1936	1696	omsecor.exe	36
PID 1696 wrote to memory of 1936	1696	omsecor.exe	36
PID 1696 wrote to memory of 1936	1696	omsecor.exe	36
PID 1696 wrote to memory of 1936	1696	omsecor.exe	36
PID 1696 wrote to memory of 1936	1696	omsecor.exe	36
PID 1936 wrote to memory of 1712	1936	omsecor.exe	37
PID 1936 wrote to memory of 1712	1936	omsecor.exe	37
PID 1936 wrote to memory of 1712	1936	omsecor.exe	37
PID 1936 wrote to memory of 1712	1936	omsecor.exe	37
PID 1712 wrote to memory of 2084	1712	omsecor.exe	38
PID 1712 wrote to memory of 2084	1712	omsecor.exe	38
PID 1712 wrote to memory of 2084	1712	omsecor.exe	38
PID 1712 wrote to memory of 2084	1712	omsecor.exe	38
PID 1712 wrote to memory of 2084	1712	omsecor.exe	38
PID 1712 wrote to memory of 2084	1712	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
"C:\Users\Admin\AppData\Local\Temp\17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
  C:\Users\Admin\AppData\Local\Temp\17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0d7cf5c4f57f7c89e4598eeeaeb9b573

SHA1
e7db55333f52ad6275a7bf3e3d9cc34c8decb10f

SHA256
a983ce7722bb3f6cd161418a02bc3c4bbf982abec3041d133b17d8e770c605fe

SHA512
e30eeae08c91cab9f3fa80e7c46a63f6f525cfb56bc930b96f8aa5836f9d313899a5ccae4f9cd7f3d95d056f55a2e2d6bf0d76ea35fe8ef10f624fedc2f6fd07

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4d33421c5034bc4c32e015cd72c6aea4

SHA1
197b798ccec045ab8a1f24dbab8f189a2f3c35d8

SHA256
adb32d97eb72cc4cb0ffc3624d044b1a97e82b18bd68d552148eb895c1384458

SHA512
b5dbd1ef2ec69ce832f703e11fa92efd19d4904c4078ffa667644947891833c263c09e5c1bcea2d71c5e7af9c8e8bb452e6d6e78c2e272dc41d296cb0e46433b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
29b320ab563afc08b0e0f87784160685

SHA1
78fd4e6883412a445ac4326253c5f059776717a1

SHA256
43c8eab00bad94f6b4e862d654863465c6cf1df2d349fd1836bbd43a815e9bdf

SHA512
45fbb68c661676104a3a248183cb3d405f35811452e6b686df4d65e14696a4ce2fa0f7e5c2e3af3257370ee1bfd7d771be8bdabe086b16dded7f079fb88ab72c

Download Submit
memory/1696-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1696-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1712-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1880-36-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/1880-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1880-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1880-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1880-21-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/1880-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1880-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1936-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2084-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2316-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2316-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2316-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2316-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2316-49-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2316-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2376-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2376-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2448-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2448-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download