neconyd | 3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f

Analysis

max time kernel
115s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe
Size

96KB
MD5

2417ed6e2b275f1f0f254ffeecf1d9fe
SHA1

e77863df7b7a0983b5b4db7958dd301bfaa9b6dc
SHA256

3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f
SHA512

794f5a0587630a29fc3c91131d26d249b5acf47080b033558361b3edd5ceb4d0dabc2c20f85eef6aa16658794a878a60d332830084594a807249e666d528228f
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:QGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2080	omsecor.exe
2852	omsecor.exe
1308	omsecor.exe
2988	omsecor.exe
2136	omsecor.exe
2108	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2832	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe
2832	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe
2080	omsecor.exe
2852	omsecor.exe
2852	omsecor.exe
2988	omsecor.exe
2988	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 2832	2720	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe	30
PID 2080 set thread context of 2852	2080	omsecor.exe	32
PID 1308 set thread context of 2988	1308	omsecor.exe	36
PID 2136 set thread context of 2108	2136	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2832	2720	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe	30
PID 2720 wrote to memory of 2832	2720	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe	30
PID 2720 wrote to memory of 2832	2720	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe	30
PID 2720 wrote to memory of 2832	2720	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe	30
PID 2720 wrote to memory of 2832	2720	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe	30
PID 2720 wrote to memory of 2832	2720	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe	30
PID 2832 wrote to memory of 2080	2832	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe	31
PID 2832 wrote to memory of 2080	2832	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe	31
PID 2832 wrote to memory of 2080	2832	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe	31
PID 2832 wrote to memory of 2080	2832	3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe	31
PID 2080 wrote to memory of 2852	2080	omsecor.exe	32
PID 2080 wrote to memory of 2852	2080	omsecor.exe	32
PID 2080 wrote to memory of 2852	2080	omsecor.exe	32
PID 2080 wrote to memory of 2852	2080	omsecor.exe	32
PID 2080 wrote to memory of 2852	2080	omsecor.exe	32
PID 2080 wrote to memory of 2852	2080	omsecor.exe	32
PID 2852 wrote to memory of 1308	2852	omsecor.exe	35
PID 2852 wrote to memory of 1308	2852	omsecor.exe	35
PID 2852 wrote to memory of 1308	2852	omsecor.exe	35
PID 2852 wrote to memory of 1308	2852	omsecor.exe	35
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 2988 wrote to memory of 2136	2988	omsecor.exe	37
PID 2988 wrote to memory of 2136	2988	omsecor.exe	37
PID 2988 wrote to memory of 2136	2988	omsecor.exe	37
PID 2988 wrote to memory of 2136	2988	omsecor.exe	37
PID 2136 wrote to memory of 2108	2136	omsecor.exe	38
PID 2136 wrote to memory of 2108	2136	omsecor.exe	38
PID 2136 wrote to memory of 2108	2136	omsecor.exe	38
PID 2136 wrote to memory of 2108	2136	omsecor.exe	38
PID 2136 wrote to memory of 2108	2136	omsecor.exe	38
PID 2136 wrote to memory of 2108	2136	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe
"C:\Users\Admin\AppData\Local\Temp\3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe
  C:\Users\Admin\AppData\Local\Temp\3084467274704f89cc85a340280df7f5afb86f1fc4cc95de3ab452a3235f843f.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1308
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
bcb66cc3f20450c9b9adee6530b57e48

SHA1
0aaa7f52a78f784821eb67625d2b36f150e3e77f

SHA256
7e6d328fc82a19fc346bfe9e3e41a7e4cc30d1c89f06605d498be76e9491dc04

SHA512
883564c35399babaf5cd1b7e5bc9de2f9cf838bb4963a0a359c6f238f11bd536a29ab6904824178214fe7d203df2969ac0009880011262cd84a1bf8d9a5eef86

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
443fd0234124d68ee699892e3651428a

SHA1
0e49aa209388453aa922c998f7e8ac6e7f993276

SHA256
2f7e3ee2db0920fc6e2b23ed4d1c1fad7b8a06dff35a8523bf4d8194494d8dd0

SHA512
6cc8a9b8858e556eccd1a8640b2e81f345903da61c4a722960061a6b0120f94230b44c78e377972b35b988c497356ba865dc90d64c36aba22dbd2b8e172c0005

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
31a9caa67cb84098d90c5f434c67080e

SHA1
1d31f673023c1fd01f16f408f110e87ecc23dbb2

SHA256
80d6b6eeecf286b343cf9a445c4e83caf4d47dde203abffdd7df867f3811c587

SHA512
a59209061ceaaa0817f5c486b0486338b039043f5b6ff99895e697f4dbf23ee33025d14d0d9ea3521dc6134cbdb5d315f249ebf7df9d21069c52214de8869d0b

Download Submit
memory/1308-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2080-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2080-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2108-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2136-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2136-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2720-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2720-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2832-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-20-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2832-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-47-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2852-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-70-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download