neconyd | 40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
Size

96KB
MD5

88de9c6897937c35255ac10b6bac4a66
SHA1

ad5b907ac354bbbae4bd1ea9b880a1e90470e172
SHA256

40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f
SHA512

ccb8b91c545641b5da431fad701e3923fd6a4f85b569cbe26f6aefa3a2ebfcf3d90dc0ddaa2a8a5cc0eb4cbfcb47104b3b6150b27dbef418eee405a7619c9bc6
SSDEEP

1536:hnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:hGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2564	omsecor.exe
2592	omsecor.exe
2356	omsecor.exe
2404	omsecor.exe
1548	omsecor.exe
2736	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2776	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
2776	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
2564	omsecor.exe
2592	omsecor.exe
2592	omsecor.exe
2404	omsecor.exe
2404	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2776	2748	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	30
PID 2564 set thread context of 2592	2564	omsecor.exe	32
PID 2356 set thread context of 2404	2356	omsecor.exe	36
PID 1548 set thread context of 2736	1548	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2776	2748	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	30
PID 2748 wrote to memory of 2776	2748	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	30
PID 2748 wrote to memory of 2776	2748	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	30
PID 2748 wrote to memory of 2776	2748	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	30
PID 2748 wrote to memory of 2776	2748	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	30
PID 2748 wrote to memory of 2776	2748	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	30
PID 2776 wrote to memory of 2564	2776	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	31
PID 2776 wrote to memory of 2564	2776	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	31
PID 2776 wrote to memory of 2564	2776	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	31
PID 2776 wrote to memory of 2564	2776	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	31
PID 2564 wrote to memory of 2592	2564	omsecor.exe	32
PID 2564 wrote to memory of 2592	2564	omsecor.exe	32
PID 2564 wrote to memory of 2592	2564	omsecor.exe	32
PID 2564 wrote to memory of 2592	2564	omsecor.exe	32
PID 2564 wrote to memory of 2592	2564	omsecor.exe	32
PID 2564 wrote to memory of 2592	2564	omsecor.exe	32
PID 2592 wrote to memory of 2356	2592	omsecor.exe	35
PID 2592 wrote to memory of 2356	2592	omsecor.exe	35
PID 2592 wrote to memory of 2356	2592	omsecor.exe	35
PID 2592 wrote to memory of 2356	2592	omsecor.exe	35
PID 2356 wrote to memory of 2404	2356	omsecor.exe	36
PID 2356 wrote to memory of 2404	2356	omsecor.exe	36
PID 2356 wrote to memory of 2404	2356	omsecor.exe	36
PID 2356 wrote to memory of 2404	2356	omsecor.exe	36
PID 2356 wrote to memory of 2404	2356	omsecor.exe	36
PID 2356 wrote to memory of 2404	2356	omsecor.exe	36
PID 2404 wrote to memory of 1548	2404	omsecor.exe	37
PID 2404 wrote to memory of 1548	2404	omsecor.exe	37
PID 2404 wrote to memory of 1548	2404	omsecor.exe	37
PID 2404 wrote to memory of 1548	2404	omsecor.exe	37
PID 1548 wrote to memory of 2736	1548	omsecor.exe	38
PID 1548 wrote to memory of 2736	1548	omsecor.exe	38
PID 1548 wrote to memory of 2736	1548	omsecor.exe	38
PID 1548 wrote to memory of 2736	1548	omsecor.exe	38
PID 1548 wrote to memory of 2736	1548	omsecor.exe	38
PID 1548 wrote to memory of 2736	1548	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
"C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
  C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
6f6623357b718ea9224d15a761f8ab21

SHA1
6496075f9cd639d1962b1c18266dfcc1d0841244

SHA256
712046f2e93f4b5d25323e8795b75b4d0cf6df30c7601a5a1b660732689755e5

SHA512
9d44f90cf22e930747c446eb3a275fd772370048c76feccf8a7db965fcdbbdfd9a1d9986a965b3212a31ee050f41a75231c9331ea739881bb212d17e9ef2e682

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5c5f6654a1d48bb13e88fc51be2ece2d

SHA1
403cb93a102cbe9e2e9ff33e74f417c61948a580

SHA256
1ab7c6a0850cd9d1291bbdeddbb89abb9b492cb0476a02b87eefcbbcb90cf0e9

SHA512
808b58e89919e9b582dddef2c0303c34e267076a1d8933f2a7bdb4b68d650e01dc8f53d9c4819098f49ee7fb22cccaf62177089fc229636e58446427d2d8ea07

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
14e020cb1a3ae7e027fbeb335d3e967e

SHA1
ee9ae170b12434d4e7b58152e735ad736a75ff58

SHA256
0fc87507f6644870637d1d2fdb03b76d3acb5722d983376f2fcf85a3483b65a8

SHA512
4350d8964f13d5101ce6a6213ff4123413119770444a6e67a972b69151df6987fe327dd9cb7149efda48b1528c07f1a22a05388947e7d0d66aab7527f66e0e45

Download Submit
memory/1548-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1548-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2356-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2356-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2404-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2564-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2564-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2564-23-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2592-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-48-0x00000000020D0000-0x00000000020F3000-memory.dmp

Filesize
140KB

Download
memory/2736-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2748-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2748-35-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2776-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2776-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2776-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2776-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download