neconyd | 4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Size

96KB
MD5

20506b8e84787159e0193acda0990e3e
SHA1

10f672fd1f6a2041184ba0e6494250bb78dd8da9
SHA256

4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e
SHA512

5caac43d66d54db0b9070d4329c6b14a48e63cea467c046f9be26167dcd23c49dbdf0e3e4bb2b85b12120621b087291f728dbce68398c7903a5bb92798f8ee82
SSDEEP

1536:FnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:FGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2516	omsecor.exe
2824	omsecor.exe
2316	omsecor.exe
1368	omsecor.exe
2736	omsecor.exe
816	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
2516	omsecor.exe
2824	omsecor.exe
2824	omsecor.exe
1368	omsecor.exe
1368	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 2968	1544	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	29
PID 2516 set thread context of 2824	2516	omsecor.exe	31
PID 2316 set thread context of 1368	2316	omsecor.exe	34
PID 2736 set thread context of 816	2736	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2968	1544	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	29
PID 1544 wrote to memory of 2968	1544	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	29
PID 1544 wrote to memory of 2968	1544	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	29
PID 1544 wrote to memory of 2968	1544	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	29
PID 1544 wrote to memory of 2968	1544	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	29
PID 1544 wrote to memory of 2968	1544	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	29
PID 2968 wrote to memory of 2516	2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	30
PID 2968 wrote to memory of 2516	2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	30
PID 2968 wrote to memory of 2516	2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	30
PID 2968 wrote to memory of 2516	2968	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	30
PID 2516 wrote to memory of 2824	2516	omsecor.exe	31
PID 2516 wrote to memory of 2824	2516	omsecor.exe	31
PID 2516 wrote to memory of 2824	2516	omsecor.exe	31
PID 2516 wrote to memory of 2824	2516	omsecor.exe	31
PID 2516 wrote to memory of 2824	2516	omsecor.exe	31
PID 2516 wrote to memory of 2824	2516	omsecor.exe	31
PID 2824 wrote to memory of 2316	2824	omsecor.exe	33
PID 2824 wrote to memory of 2316	2824	omsecor.exe	33
PID 2824 wrote to memory of 2316	2824	omsecor.exe	33
PID 2824 wrote to memory of 2316	2824	omsecor.exe	33
PID 2316 wrote to memory of 1368	2316	omsecor.exe	34
PID 2316 wrote to memory of 1368	2316	omsecor.exe	34
PID 2316 wrote to memory of 1368	2316	omsecor.exe	34
PID 2316 wrote to memory of 1368	2316	omsecor.exe	34
PID 2316 wrote to memory of 1368	2316	omsecor.exe	34
PID 2316 wrote to memory of 1368	2316	omsecor.exe	34
PID 1368 wrote to memory of 2736	1368	omsecor.exe	35
PID 1368 wrote to memory of 2736	1368	omsecor.exe	35
PID 1368 wrote to memory of 2736	1368	omsecor.exe	35
PID 1368 wrote to memory of 2736	1368	omsecor.exe	35
PID 2736 wrote to memory of 816	2736	omsecor.exe	36
PID 2736 wrote to memory of 816	2736	omsecor.exe	36
PID 2736 wrote to memory of 816	2736	omsecor.exe	36
PID 2736 wrote to memory of 816	2736	omsecor.exe	36
PID 2736 wrote to memory of 816	2736	omsecor.exe	36
PID 2736 wrote to memory of 816	2736	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
"C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
  C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
18a46c1601e70d270cec3c27305f07dd

SHA1
1a84bc2f363cd80ce4665dd5f602248bd3c54f14

SHA256
5b139876d77abed497e0763a981afa6a209fb37df83e01093dd1dac7594d2a16

SHA512
e68d629a913b74d2b01a793dec0410b8d9fd73c80f5cc4de34d665d0be7c95309a84b9d84ec71b2ddd7db33b6a485574d67c95fe32fb2e9703aff6c9a211f3a2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
412094c9ec3439d6cd8b75c03a6c9d16

SHA1
3966c0fb7923fb37ba64a1e3aa7c947df6b62ef0

SHA256
b26a14e4b65825a1151e7ace034822988ec85794b4bcb71ee64907a3d91190ac

SHA512
a3c58af11ee65122b870f50e6c1831646f853c8d9a6e50a998915334c431963ea662a44f84f46008aa06e00cffac4e12d638d980365285c9bb4f4120ba8fe6db

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b4da19f87d2b86ed3738c3f1415102bf

SHA1
93ee25fb680953145818c1303d5033d03798db44

SHA256
9ae359a944689230191ac1bd982e49c2df6a2629357efba4f107d3fd8a98a217

SHA512
44480335c9d92909f2ca7a21993151137af60e0066ee25aa9ba7944146d2d3b8e392434d094a167a0dd13d1a5a8c791dc8a532d467db3b507159b700b3aef76d

Download Submit
memory/816-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/816-95-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1544-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1544-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1544-1-0x0000000000330000-0x0000000000353000-memory.dmp

Filesize
140KB

Download
memory/2316-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2516-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2516-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2516-26-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2736-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2824-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2824-91-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2824-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2824-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2824-49-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2824-58-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2824-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2824-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2968-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-15-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download