neconyd | 202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3deb

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
Size

134KB
MD5

622a24ded3eadc25a3f5f6fac27c8e60
SHA1

1d7fe49b2aae07c9cd77860f13b0eb753d3611e1
SHA256

202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3deb
SHA512

3a7919f01563396d1aab3fc2c2d05c4fa32c754c312daff21c5364e70a17d9264282b17a7bf2e494b864c94f6600eb6b876d5a5d7f19e0e0d2a0dbeffc7e46e8
SSDEEP

1536:sDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCin:SiRTeH0iqAW6J6f1tqF6dngNmaZCiaG

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1732	omsecor.exe
796	omsecor.exe
1772	omsecor.exe
2928	omsecor.exe
2376	omsecor.exe
348	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2692	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
2692	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
1732	omsecor.exe
796	omsecor.exe
796	omsecor.exe
2928	omsecor.exe
2928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2692	2056	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	30
PID 1732 set thread context of 796	1732	omsecor.exe	32
PID 1772 set thread context of 2928	1772	omsecor.exe	36
PID 2376 set thread context of 348	2376	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2692	2056	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	30
PID 2056 wrote to memory of 2692	2056	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	30
PID 2056 wrote to memory of 2692	2056	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	30
PID 2056 wrote to memory of 2692	2056	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	30
PID 2056 wrote to memory of 2692	2056	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	30
PID 2056 wrote to memory of 2692	2056	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	30
PID 2692 wrote to memory of 1732	2692	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	31
PID 2692 wrote to memory of 1732	2692	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	31
PID 2692 wrote to memory of 1732	2692	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	31
PID 2692 wrote to memory of 1732	2692	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	31
PID 1732 wrote to memory of 796	1732	omsecor.exe	32
PID 1732 wrote to memory of 796	1732	omsecor.exe	32
PID 1732 wrote to memory of 796	1732	omsecor.exe	32
PID 1732 wrote to memory of 796	1732	omsecor.exe	32
PID 1732 wrote to memory of 796	1732	omsecor.exe	32
PID 1732 wrote to memory of 796	1732	omsecor.exe	32
PID 796 wrote to memory of 1772	796	omsecor.exe	35
PID 796 wrote to memory of 1772	796	omsecor.exe	35
PID 796 wrote to memory of 1772	796	omsecor.exe	35
PID 796 wrote to memory of 1772	796	omsecor.exe	35
PID 1772 wrote to memory of 2928	1772	omsecor.exe	36
PID 1772 wrote to memory of 2928	1772	omsecor.exe	36
PID 1772 wrote to memory of 2928	1772	omsecor.exe	36
PID 1772 wrote to memory of 2928	1772	omsecor.exe	36
PID 1772 wrote to memory of 2928	1772	omsecor.exe	36
PID 1772 wrote to memory of 2928	1772	omsecor.exe	36
PID 2928 wrote to memory of 2376	2928	omsecor.exe	37
PID 2928 wrote to memory of 2376	2928	omsecor.exe	37
PID 2928 wrote to memory of 2376	2928	omsecor.exe	37
PID 2928 wrote to memory of 2376	2928	omsecor.exe	37
PID 2376 wrote to memory of 348	2376	omsecor.exe	38
PID 2376 wrote to memory of 348	2376	omsecor.exe	38
PID 2376 wrote to memory of 348	2376	omsecor.exe	38
PID 2376 wrote to memory of 348	2376	omsecor.exe	38
PID 2376 wrote to memory of 348	2376	omsecor.exe	38
PID 2376 wrote to memory of 348	2376	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
"C:\Users\Admin\AppData\Local\Temp\202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
  C:\Users\Admin\AppData\Local\Temp\202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d4d610803b5052cafc828ddb482c6fbd

SHA1
ad137da6e7ea42d7b71cc7f3319a1ae21ef9dba3

SHA256
48b516f3894831842caa26b1ab0660f8740970bbd2718555f3748ab9a61cd6a9

SHA512
803d1896991035673cae6e75c3963dad6cf6e9aa660d8e975f8638c4610a35265ba3cd982645f0c1993fc1b6a1ed3cb28eaf4bdbb24648abb76fc80ef0d8df61

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
4d8557901f0c5e7fe8015d6f3de7c351

SHA1
f78fe22768a2324c24d9fc81997c34ff1cd2f096

SHA256
76bdfc838dfb2de9f20538c562ab4e8ceeeca4b552f719af3115aeedaf9a27b1

SHA512
e5cae4d1ca2542bea5e455171264af79481f3a7c7f42bd39647f028275d436a2716fd007b4ee3daa4ec0cf8408dcfd706f05bbcf170e63cd28e16b5681095291

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
ff14d0be5d912a9d3241419b2e0bb9c3

SHA1
e89aa9c8c991526c165f066686e73dcadc34c8e6

SHA256
d1e214620845c0554b8cf4c2c3bad2fd093478cfd2bbca84654d428c8cf0562d

SHA512
2ba5a4fc7c75321c8bbe436d597443e0804041f8226ab3d641261473a77fd825f68fd530de21144bc350a0a30b87b7871d7a4f9ee1461f12719c2ec5f26af5f4

Download Submit
memory/348-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/796-45-0x00000000002A0000-0x00000000002C4000-memory.dmp

Filesize
144KB

Download
memory/796-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/796-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/796-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/796-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/796-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1732-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1772-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1772-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2056-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2056-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2376-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2692-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-69-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download