neconyd | 2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9feb

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
Size

96KB
MD5

f2ab66ceebeceabff99bd853e6bdbd40
SHA1

09c6e018602e6f0e53a422217780805da4f9d2e6
SHA256

2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9feb
SHA512

53a26b3c989df8abc526bbf0debe96c1500dc9f48557d446545a0236851822a249087d2c974522576bb63c395e04e220ab9d48f6d5c4257a8554da67e431d195
SSDEEP

1536:jnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:jGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2000	omsecor.exe
2424	omsecor.exe
2408	omsecor.exe
1296	omsecor.exe
2044	omsecor.exe
2608	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2452	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
2452	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
2000	omsecor.exe
2424	omsecor.exe
2424	omsecor.exe
1296	omsecor.exe
1296	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3016 set thread context of 2452	3016	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	31
PID 2000 set thread context of 2424	2000	omsecor.exe	33
PID 2408 set thread context of 1296	2408	omsecor.exe	37
PID 2044 set thread context of 2608	2044	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2452	3016	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	31
PID 3016 wrote to memory of 2452	3016	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	31
PID 3016 wrote to memory of 2452	3016	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	31
PID 3016 wrote to memory of 2452	3016	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	31
PID 3016 wrote to memory of 2452	3016	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	31
PID 3016 wrote to memory of 2452	3016	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	31
PID 2452 wrote to memory of 2000	2452	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	32
PID 2452 wrote to memory of 2000	2452	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	32
PID 2452 wrote to memory of 2000	2452	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	32
PID 2452 wrote to memory of 2000	2452	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	32
PID 2000 wrote to memory of 2424	2000	omsecor.exe	33
PID 2000 wrote to memory of 2424	2000	omsecor.exe	33
PID 2000 wrote to memory of 2424	2000	omsecor.exe	33
PID 2000 wrote to memory of 2424	2000	omsecor.exe	33
PID 2000 wrote to memory of 2424	2000	omsecor.exe	33
PID 2000 wrote to memory of 2424	2000	omsecor.exe	33
PID 2424 wrote to memory of 2408	2424	omsecor.exe	36
PID 2424 wrote to memory of 2408	2424	omsecor.exe	36
PID 2424 wrote to memory of 2408	2424	omsecor.exe	36
PID 2424 wrote to memory of 2408	2424	omsecor.exe	36
PID 2408 wrote to memory of 1296	2408	omsecor.exe	37
PID 2408 wrote to memory of 1296	2408	omsecor.exe	37
PID 2408 wrote to memory of 1296	2408	omsecor.exe	37
PID 2408 wrote to memory of 1296	2408	omsecor.exe	37
PID 2408 wrote to memory of 1296	2408	omsecor.exe	37
PID 2408 wrote to memory of 1296	2408	omsecor.exe	37
PID 1296 wrote to memory of 2044	1296	omsecor.exe	38
PID 1296 wrote to memory of 2044	1296	omsecor.exe	38
PID 1296 wrote to memory of 2044	1296	omsecor.exe	38
PID 1296 wrote to memory of 2044	1296	omsecor.exe	38
PID 2044 wrote to memory of 2608	2044	omsecor.exe	39
PID 2044 wrote to memory of 2608	2044	omsecor.exe	39
PID 2044 wrote to memory of 2608	2044	omsecor.exe	39
PID 2044 wrote to memory of 2608	2044	omsecor.exe	39
PID 2044 wrote to memory of 2608	2044	omsecor.exe	39
PID 2044 wrote to memory of 2608	2044	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
"C:\Users\Admin\AppData\Local\Temp\2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
  C:\Users\Admin\AppData\Local\Temp\2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
63edf5322c4ee5a8d7def62eab97fc56

SHA1
414a77bbfa3eca14037725e980493bb44ed9f4d1

SHA256
4105eaba4546f9ca5105845383cda1e4fe7cc6d1710239772b55d646e1318d0d

SHA512
29ab47465a745fc0e402b16628a8c558c5f07ce32164f50c0831b90191d4fcb469a764f54b4c001f50ea1513829c32ec388bac1f4c86d4f899afbf481ef229b2

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f02e579325cf0c0c6b77c5b4ed15dafa

SHA1
3a3c07d297479c4456a4126bc1fecb9c89f6b902

SHA256
b184ccb2237bebd54f6207beef74770b77092e3f25281dc2771001b3758cbc10

SHA512
46ccffa08b4cd30780c0ef17324e18ab7af039b925f67398f092046b7ee6b6315fe21a2c09d355333fbfc2f9a56b555dfbc5992ef85fd690a291d1137678cc0d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b9807b254ab327d136833584368a398a

SHA1
3b5d6e69d2d4c8e3b807b1a447f9051ab3ad86ff

SHA256
2f0b62f83a2a339b8228ec9cd7bda5687ebcc75b459471c361eff2bc2e0e7fff

SHA512
874be421ecd7d53d070824db192459983d0f379574ad3631ad9cdb7ab47c4b644a5128b42fe5aef02ce8d798c430e51488583d60338a0ddf72719d4f698fe1c5

Download Submit
memory/1296-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2000-24-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2000-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2044-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2044-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2424-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-55-0x0000000002100000-0x0000000002123000-memory.dmp

Filesize
140KB

Download
memory/2424-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-48-0x0000000002100000-0x0000000002123000-memory.dmp

Filesize
140KB

Download
memory/2424-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2452-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2452-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2452-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2452-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2452-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3016-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download