neconyd | ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
Size

96KB
MD5

8d3451b5deaebdda6578fba417dca760
SHA1

fe22f844f47eac7cd984de8718d19b751cd85d0b
SHA256

ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c
SHA512

7105663d1fe0c95bb73e547a3abd93158627b34982aabd0dbb18b8885c4023b9ac70bd58f282e26c4d03bbab8e2e90e0d5d2f01720360ff92a2e6b03d8b57b64
SSDEEP

1536:WnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:WGs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2616	omsecor.exe
2072	omsecor.exe
1620	omsecor.exe
1448	omsecor.exe
2020	omsecor.exe
2976	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2880	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
2880	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
2616	omsecor.exe
2072	omsecor.exe
2072	omsecor.exe
1448	omsecor.exe
1448	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2880	2512	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	31
PID 2616 set thread context of 2072	2616	omsecor.exe	33
PID 1620 set thread context of 1448	1620	omsecor.exe	36
PID 2020 set thread context of 2976	2020	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2880	2512	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	31
PID 2512 wrote to memory of 2880	2512	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	31
PID 2512 wrote to memory of 2880	2512	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	31
PID 2512 wrote to memory of 2880	2512	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	31
PID 2512 wrote to memory of 2880	2512	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	31
PID 2512 wrote to memory of 2880	2512	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	31
PID 2880 wrote to memory of 2616	2880	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	32
PID 2880 wrote to memory of 2616	2880	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	32
PID 2880 wrote to memory of 2616	2880	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	32
PID 2880 wrote to memory of 2616	2880	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	32
PID 2616 wrote to memory of 2072	2616	omsecor.exe	33
PID 2616 wrote to memory of 2072	2616	omsecor.exe	33
PID 2616 wrote to memory of 2072	2616	omsecor.exe	33
PID 2616 wrote to memory of 2072	2616	omsecor.exe	33
PID 2616 wrote to memory of 2072	2616	omsecor.exe	33
PID 2616 wrote to memory of 2072	2616	omsecor.exe	33
PID 2072 wrote to memory of 1620	2072	omsecor.exe	35
PID 2072 wrote to memory of 1620	2072	omsecor.exe	35
PID 2072 wrote to memory of 1620	2072	omsecor.exe	35
PID 2072 wrote to memory of 1620	2072	omsecor.exe	35
PID 1620 wrote to memory of 1448	1620	omsecor.exe	36
PID 1620 wrote to memory of 1448	1620	omsecor.exe	36
PID 1620 wrote to memory of 1448	1620	omsecor.exe	36
PID 1620 wrote to memory of 1448	1620	omsecor.exe	36
PID 1620 wrote to memory of 1448	1620	omsecor.exe	36
PID 1620 wrote to memory of 1448	1620	omsecor.exe	36
PID 1448 wrote to memory of 2020	1448	omsecor.exe	37
PID 1448 wrote to memory of 2020	1448	omsecor.exe	37
PID 1448 wrote to memory of 2020	1448	omsecor.exe	37
PID 1448 wrote to memory of 2020	1448	omsecor.exe	37
PID 2020 wrote to memory of 2976	2020	omsecor.exe	38
PID 2020 wrote to memory of 2976	2020	omsecor.exe	38
PID 2020 wrote to memory of 2976	2020	omsecor.exe	38
PID 2020 wrote to memory of 2976	2020	omsecor.exe	38
PID 2020 wrote to memory of 2976	2020	omsecor.exe	38
PID 2020 wrote to memory of 2976	2020	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
"C:\Users\Admin\AppData\Local\Temp\ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
  C:\Users\Admin\AppData\Local\Temp\ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
cfefbfbf26b9863a98471504d08f4bc0

SHA1
ff839e6eb32e39c2fb974fb70469ae29a36d9154

SHA256
3da1ecc3092d6a6fbe3885aaa27189d0ecb22f4e123d03ecf74a324c9b45860d

SHA512
f4152b28efd47bea66f2dad9df162b20c1362a6537ef24bccdd555e9e96e3e8db1b614aeb04749d7f2d3ef3360e8b742ca346a3b4b7aac4a8bdf3d3a740466fd

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a07c5ebd98282cc1ce0998c506da6807

SHA1
f459a134fbd6cb88603f7cf32157d546669d136e

SHA256
40f835c579e4dafb2197a48db3b8dcea87196d0aad402e08c46e957f59b0374f

SHA512
48c6e8f18649d8908bdbd5d9395085e441ebce96cfac70c0845048ccfdf6a04c733443e8f9a268c603ce9eb7c8e649835b80a67450e24900744c238426abc654

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
5e55bfece32c55e056d402038b9f1d3b

SHA1
1864dc8e0c4604e4553c66240d834b54c9c75c46

SHA256
a157cda4495adaa94537a3827b98419f88641479fead130cdd8da20ffb98a091

SHA512
43c74154c6e5798a4b1a08746c953677ee1132ccceacee461754d782ce7940f359c592dfe42ee0c77a2f699242c21a170148e907419db6453a0de003d4327acd

Download Submit
memory/1620-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1620-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2020-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2020-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2072-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-46-0x0000000001F80000-0x0000000001FA3000-memory.dmp

Filesize
140KB

Download
memory/2512-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2512-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2616-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2616-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2880-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download