neconyd | 40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
Size

96KB
MD5

88de9c6897937c35255ac10b6bac4a66
SHA1

ad5b907ac354bbbae4bd1ea9b880a1e90470e172
SHA256

40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f
SHA512

ccb8b91c545641b5da431fad701e3923fd6a4f85b569cbe26f6aefa3a2ebfcf3d90dc0ddaa2a8a5cc0eb4cbfcb47104b3b6150b27dbef418eee405a7619c9bc6
SSDEEP

1536:hnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:hGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2832	omsecor.exe
2676	omsecor.exe
1260	omsecor.exe
2016	omsecor.exe
1100	omsecor.exe
2008	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2184	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
2184	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
2832	omsecor.exe
2676	omsecor.exe
2676	omsecor.exe
2016	omsecor.exe
2016	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 2184	2688	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	31
PID 2832 set thread context of 2676	2832	omsecor.exe	33
PID 1260 set thread context of 2016	1260	omsecor.exe	37
PID 1100 set thread context of 2008	1100	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2184	2688	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	31
PID 2688 wrote to memory of 2184	2688	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	31
PID 2688 wrote to memory of 2184	2688	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	31
PID 2688 wrote to memory of 2184	2688	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	31
PID 2688 wrote to memory of 2184	2688	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	31
PID 2688 wrote to memory of 2184	2688	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	31
PID 2184 wrote to memory of 2832	2184	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	32
PID 2184 wrote to memory of 2832	2184	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	32
PID 2184 wrote to memory of 2832	2184	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	32
PID 2184 wrote to memory of 2832	2184	40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe	32
PID 2832 wrote to memory of 2676	2832	omsecor.exe	33
PID 2832 wrote to memory of 2676	2832	omsecor.exe	33
PID 2832 wrote to memory of 2676	2832	omsecor.exe	33
PID 2832 wrote to memory of 2676	2832	omsecor.exe	33
PID 2832 wrote to memory of 2676	2832	omsecor.exe	33
PID 2832 wrote to memory of 2676	2832	omsecor.exe	33
PID 2676 wrote to memory of 1260	2676	omsecor.exe	36
PID 2676 wrote to memory of 1260	2676	omsecor.exe	36
PID 2676 wrote to memory of 1260	2676	omsecor.exe	36
PID 2676 wrote to memory of 1260	2676	omsecor.exe	36
PID 1260 wrote to memory of 2016	1260	omsecor.exe	37
PID 1260 wrote to memory of 2016	1260	omsecor.exe	37
PID 1260 wrote to memory of 2016	1260	omsecor.exe	37
PID 1260 wrote to memory of 2016	1260	omsecor.exe	37
PID 1260 wrote to memory of 2016	1260	omsecor.exe	37
PID 1260 wrote to memory of 2016	1260	omsecor.exe	37
PID 2016 wrote to memory of 1100	2016	omsecor.exe	38
PID 2016 wrote to memory of 1100	2016	omsecor.exe	38
PID 2016 wrote to memory of 1100	2016	omsecor.exe	38
PID 2016 wrote to memory of 1100	2016	omsecor.exe	38
PID 1100 wrote to memory of 2008	1100	omsecor.exe	39
PID 1100 wrote to memory of 2008	1100	omsecor.exe	39
PID 1100 wrote to memory of 2008	1100	omsecor.exe	39
PID 1100 wrote to memory of 2008	1100	omsecor.exe	39
PID 1100 wrote to memory of 2008	1100	omsecor.exe	39
PID 1100 wrote to memory of 2008	1100	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
"C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
  C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1260
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
6f6623357b718ea9224d15a761f8ab21

SHA1
6496075f9cd639d1962b1c18266dfcc1d0841244

SHA256
712046f2e93f4b5d25323e8795b75b4d0cf6df30c7601a5a1b660732689755e5

SHA512
9d44f90cf22e930747c446eb3a275fd772370048c76feccf8a7db965fcdbbdfd9a1d9986a965b3212a31ee050f41a75231c9331ea739881bb212d17e9ef2e682

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
df8102be17f71dc8b2a1548f7e9c4007

SHA1
34e81b4827a8d885fe1317d6ad87f81247698ad7

SHA256
2c0b3d9d757a41406e20ce60d620de1b228ebf245e3ce6166ec5a33d6e0e9f0a

SHA512
6b3eda81b9fb8b7716950c50715ce915f904ef04be35c0a54e8097bf5a71392fcf56ea3e1f0c8ae459cbdca9af2c0bcab91a4383c37a17850cc3f39a5d8c8f97

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f4bbec0439a1c5459be315cd757fdd77

SHA1
ffc92ab3f5304de59cef62c492fbf54fc5ac5282

SHA256
b07a546952f44e5e0189735a351b4fc0ddbbd0d35a77d1a602429affada63ef5

SHA512
7996766ef4bdf78892fb77f6f40d70f65d30a2efd67f0b7641fa49d96cb90a043c4b17ef4f48932ba6dbb28d893940cf8a8546b5ecc17c73f75afa6be8ce61b9

Download Submit
memory/1100-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1100-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1260-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2008-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2008-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-71-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2184-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2184-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-47-0x00000000004E0000-0x0000000000503000-memory.dmp

Filesize
140KB

Download
memory/2676-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2688-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2688-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2832-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2832-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download