neconyd | 4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e

Analysis

max time kernel
113s
max time network
102s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Size

96KB
MD5

20506b8e84787159e0193acda0990e3e
SHA1

10f672fd1f6a2041184ba0e6494250bb78dd8da9
SHA256

4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e
SHA512

5caac43d66d54db0b9070d4329c6b14a48e63cea467c046f9be26167dcd23c49dbdf0e3e4bb2b85b12120621b087291f728dbce68398c7903a5bb92798f8ee82
SSDEEP

1536:FnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:FGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2704	omsecor.exe
2664	omsecor.exe
1740	omsecor.exe
2360	omsecor.exe
3028	omsecor.exe
2008	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2896	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
2896	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
2704	omsecor.exe
2664	omsecor.exe
2664	omsecor.exe
2360	omsecor.exe
2360	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2968 set thread context of 2896	2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	30
PID 2704 set thread context of 2664	2704	omsecor.exe	32
PID 1740 set thread context of 2360	1740	omsecor.exe	36
PID 3028 set thread context of 2008	3028	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2896	2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	30
PID 2968 wrote to memory of 2896	2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	30
PID 2968 wrote to memory of 2896	2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	30
PID 2968 wrote to memory of 2896	2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	30
PID 2968 wrote to memory of 2896	2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	30
PID 2968 wrote to memory of 2896	2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	30
PID 2896 wrote to memory of 2704	2896	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	31
PID 2896 wrote to memory of 2704	2896	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	31
PID 2896 wrote to memory of 2704	2896	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	31
PID 2896 wrote to memory of 2704	2896	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	31
PID 2704 wrote to memory of 2664	2704	omsecor.exe	32
PID 2704 wrote to memory of 2664	2704	omsecor.exe	32
PID 2704 wrote to memory of 2664	2704	omsecor.exe	32
PID 2704 wrote to memory of 2664	2704	omsecor.exe	32
PID 2704 wrote to memory of 2664	2704	omsecor.exe	32
PID 2704 wrote to memory of 2664	2704	omsecor.exe	32
PID 2664 wrote to memory of 1740	2664	omsecor.exe	35
PID 2664 wrote to memory of 1740	2664	omsecor.exe	35
PID 2664 wrote to memory of 1740	2664	omsecor.exe	35
PID 2664 wrote to memory of 1740	2664	omsecor.exe	35
PID 1740 wrote to memory of 2360	1740	omsecor.exe	36
PID 1740 wrote to memory of 2360	1740	omsecor.exe	36
PID 1740 wrote to memory of 2360	1740	omsecor.exe	36
PID 1740 wrote to memory of 2360	1740	omsecor.exe	36
PID 1740 wrote to memory of 2360	1740	omsecor.exe	36
PID 1740 wrote to memory of 2360	1740	omsecor.exe	36
PID 2360 wrote to memory of 3028	2360	omsecor.exe	37
PID 2360 wrote to memory of 3028	2360	omsecor.exe	37
PID 2360 wrote to memory of 3028	2360	omsecor.exe	37
PID 2360 wrote to memory of 3028	2360	omsecor.exe	37
PID 3028 wrote to memory of 2008	3028	omsecor.exe	38
PID 3028 wrote to memory of 2008	3028	omsecor.exe	38
PID 3028 wrote to memory of 2008	3028	omsecor.exe	38
PID 3028 wrote to memory of 2008	3028	omsecor.exe	38
PID 3028 wrote to memory of 2008	3028	omsecor.exe	38
PID 3028 wrote to memory of 2008	3028	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
"C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
  C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
18a46c1601e70d270cec3c27305f07dd

SHA1
1a84bc2f363cd80ce4665dd5f602248bd3c54f14

SHA256
5b139876d77abed497e0763a981afa6a209fb37df83e01093dd1dac7594d2a16

SHA512
e68d629a913b74d2b01a793dec0410b8d9fd73c80f5cc4de34d665d0be7c95309a84b9d84ec71b2ddd7db33b6a485574d67c95fe32fb2e9703aff6c9a211f3a2

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
150cdee487160a95ed6382cd77ab61aa

SHA1
261d0c2d35880bbb1a6a80af7c492cb59cb6b831

SHA256
d72b009b47ab5e342064986531dc5917c2fba3f67d004353f3ee4a02d1019481

SHA512
372b44fa52435cfd1a888d98409cfd49455e0b11c36c8bc779b7143e2d20ff5e2af84d403c1f5c323dfd1f4e006d2a6d8f85c4c7065470d80e3fe2dfd2a7d063

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
a88da4be77ba8b58a9d87339dc5e3b40

SHA1
e917ee203dd1412d7667fd219f79f8cf54dee78e

SHA256
508cc88cba5143b7cedd9a6bddeb14dd1debbd3d1398c2d62993be419e513b2a

SHA512
c8ce81067c9d623ceeae8b9e40827b37349912db6a62c1a348305675d59baca3d2b1ae676fcf09087977303af8fba42d6b67f9b9e30758cc52fe5ee5ddfda9a5

Download Submit
memory/1740-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1740-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2008-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-93-0x0000000001B50000-0x0000000001B73000-memory.dmp

Filesize
140KB

Download
memory/2360-81-0x0000000001B50000-0x0000000001B73000-memory.dmp

Filesize
140KB

Download
memory/2360-82-0x0000000001B50000-0x0000000001B73000-memory.dmp

Filesize
140KB

Download
memory/2664-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-55-0x00000000004A0000-0x00000000004C3000-memory.dmp

Filesize
140KB

Download
memory/2664-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-56-0x00000000004A0000-0x00000000004C3000-memory.dmp

Filesize
140KB

Download
memory/2704-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2704-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2896-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2896-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2896-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2896-35-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2896-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2896-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2896-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2968-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3028-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download