neconyd | 674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe
Size

96KB
MD5

0b3b42bff5540bd1d729343bf6c84a34
SHA1

de07110e79b27a4e4f5835009ceae477170d9365
SHA256

674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db
SHA512

7a68f9b93cfc117da0af0ecc9c6c4423456d2e9f7c5fee6194715bfbd2ca9d767d03ee0f761883585226e9cc4b1a4a192aec56e43e807ce317f33f61257bedcc
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxu:OGs8cd8eXlYairZYqMddH13u

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1736	omsecor.exe
3000	omsecor.exe
2940	omsecor.exe
1836	omsecor.exe
1564	omsecor.exe
2344	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1904	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe
1904	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe
1736	omsecor.exe
3000	omsecor.exe
3000	omsecor.exe
1836	omsecor.exe
1836	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 1904	2508	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe	30
PID 1736 set thread context of 3000	1736	omsecor.exe	32
PID 2940 set thread context of 1836	2940	omsecor.exe	36
PID 1564 set thread context of 2344	1564	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1904	2508	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe	30
PID 2508 wrote to memory of 1904	2508	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe	30
PID 2508 wrote to memory of 1904	2508	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe	30
PID 2508 wrote to memory of 1904	2508	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe	30
PID 2508 wrote to memory of 1904	2508	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe	30
PID 2508 wrote to memory of 1904	2508	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe	30
PID 1904 wrote to memory of 1736	1904	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe	31
PID 1904 wrote to memory of 1736	1904	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe	31
PID 1904 wrote to memory of 1736	1904	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe	31
PID 1904 wrote to memory of 1736	1904	674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe	31
PID 1736 wrote to memory of 3000	1736	omsecor.exe	32
PID 1736 wrote to memory of 3000	1736	omsecor.exe	32
PID 1736 wrote to memory of 3000	1736	omsecor.exe	32
PID 1736 wrote to memory of 3000	1736	omsecor.exe	32
PID 1736 wrote to memory of 3000	1736	omsecor.exe	32
PID 1736 wrote to memory of 3000	1736	omsecor.exe	32
PID 3000 wrote to memory of 2940	3000	omsecor.exe	35
PID 3000 wrote to memory of 2940	3000	omsecor.exe	35
PID 3000 wrote to memory of 2940	3000	omsecor.exe	35
PID 3000 wrote to memory of 2940	3000	omsecor.exe	35
PID 2940 wrote to memory of 1836	2940	omsecor.exe	36
PID 2940 wrote to memory of 1836	2940	omsecor.exe	36
PID 2940 wrote to memory of 1836	2940	omsecor.exe	36
PID 2940 wrote to memory of 1836	2940	omsecor.exe	36
PID 2940 wrote to memory of 1836	2940	omsecor.exe	36
PID 2940 wrote to memory of 1836	2940	omsecor.exe	36
PID 1836 wrote to memory of 1564	1836	omsecor.exe	37
PID 1836 wrote to memory of 1564	1836	omsecor.exe	37
PID 1836 wrote to memory of 1564	1836	omsecor.exe	37
PID 1836 wrote to memory of 1564	1836	omsecor.exe	37
PID 1564 wrote to memory of 2344	1564	omsecor.exe	38
PID 1564 wrote to memory of 2344	1564	omsecor.exe	38
PID 1564 wrote to memory of 2344	1564	omsecor.exe	38
PID 1564 wrote to memory of 2344	1564	omsecor.exe	38
PID 1564 wrote to memory of 2344	1564	omsecor.exe	38
PID 1564 wrote to memory of 2344	1564	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe
"C:\Users\Admin\AppData\Local\Temp\674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe
  C:\Users\Admin\AppData\Local\Temp\674d56b5c25bb2e2d2bdaf44f626e6be22f1a8be941011a0b078488126cf46db.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a883e66e82d27f731b577451263f7238

SHA1
8b97b4315de2a96c4183b6b70783b81b9cf029ce

SHA256
1170e65620295e7e7ebaf3189c04fc6f3ec575054b6e00228e0fa75a46e042d1

SHA512
9f0ae8e32713b4ae1e171c6bb58e1f3ebaafa1e8454d880442f86d0b736ef6ac459be3edf873f5f8f6e04c333dd12ea90d043949680d8bb92ea842750b017b59

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5a3107f2be1f2b01e01f9e4507077bdf

SHA1
e03c148ea1b79e341c2fbab4da1c9bfa6ae902f6

SHA256
34aa54e792e25c63b52f682d0784bf383ac47f7fbc4f8a5e015b2b189eaa02d6

SHA512
46442d9b21162464ec39a22b2f0b3bf93287545d5ebf2ea362fc879fada39d4eec3acbe2f789636e94010e29776c10b3ae1959dcaa0515db65b6853120d77615

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
7259a91933060fea13bb6de1da04c142

SHA1
eb9821ad4e53d254cabd43402059bce478637591

SHA256
99bf6ebe872418828759431f8be053e3138ff85155e8196c2040357f856cdd83

SHA512
99b4d6cb25f514ca33b36155fa33d3a36edd1299b369a0a0a75c4b7c0c1ed95bcb5d4faada30e217d878fc4edba66decc3f4ed8d2ea56a88f8f72e9172e5d174

Download Submit
memory/1564-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1564-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1736-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1736-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1836-70-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/1904-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1904-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1904-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1904-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1904-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2508-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2508-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2508-8-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2940-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-47-0x0000000002320000-0x0000000002343000-memory.dmp

Filesize
140KB

Download
memory/3000-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download