neconyd | 15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe
Size

96KB
MD5

908bcf3c4fadd2ae2629523879d59250
SHA1

9fc9f54fc234dc2d4fc69165c3bf50623f0aae73
SHA256

15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0
SHA512

80582a387d6b3bf1346189d847ec85cabef6d854f2cc138eb0e49b530db2508d5972d1deedbb718f16a4041d23240e1f1e7b0d51cc420f8d9026816f37168154
SSDEEP

1536:ZnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:ZGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2780	omsecor.exe
2672	omsecor.exe
1708	omsecor.exe
1908	omsecor.exe
1964	omsecor.exe
2948	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2236	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe
2236	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe
2780	omsecor.exe
2672	omsecor.exe
2672	omsecor.exe
1908	omsecor.exe
1908	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 2236	2364	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe	30
PID 2780 set thread context of 2672	2780	omsecor.exe	32
PID 1708 set thread context of 1908	1708	omsecor.exe	36
PID 1964 set thread context of 2948	1964	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2236	2364	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe	30
PID 2364 wrote to memory of 2236	2364	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe	30
PID 2364 wrote to memory of 2236	2364	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe	30
PID 2364 wrote to memory of 2236	2364	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe	30
PID 2364 wrote to memory of 2236	2364	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe	30
PID 2364 wrote to memory of 2236	2364	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe	30
PID 2236 wrote to memory of 2780	2236	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe	31
PID 2236 wrote to memory of 2780	2236	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe	31
PID 2236 wrote to memory of 2780	2236	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe	31
PID 2236 wrote to memory of 2780	2236	15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe	31
PID 2780 wrote to memory of 2672	2780	omsecor.exe	32
PID 2780 wrote to memory of 2672	2780	omsecor.exe	32
PID 2780 wrote to memory of 2672	2780	omsecor.exe	32
PID 2780 wrote to memory of 2672	2780	omsecor.exe	32
PID 2780 wrote to memory of 2672	2780	omsecor.exe	32
PID 2780 wrote to memory of 2672	2780	omsecor.exe	32
PID 2672 wrote to memory of 1708	2672	omsecor.exe	35
PID 2672 wrote to memory of 1708	2672	omsecor.exe	35
PID 2672 wrote to memory of 1708	2672	omsecor.exe	35
PID 2672 wrote to memory of 1708	2672	omsecor.exe	35
PID 1708 wrote to memory of 1908	1708	omsecor.exe	36
PID 1708 wrote to memory of 1908	1708	omsecor.exe	36
PID 1708 wrote to memory of 1908	1708	omsecor.exe	36
PID 1708 wrote to memory of 1908	1708	omsecor.exe	36
PID 1708 wrote to memory of 1908	1708	omsecor.exe	36
PID 1708 wrote to memory of 1908	1708	omsecor.exe	36
PID 1908 wrote to memory of 1964	1908	omsecor.exe	37
PID 1908 wrote to memory of 1964	1908	omsecor.exe	37
PID 1908 wrote to memory of 1964	1908	omsecor.exe	37
PID 1908 wrote to memory of 1964	1908	omsecor.exe	37
PID 1964 wrote to memory of 2948	1964	omsecor.exe	38
PID 1964 wrote to memory of 2948	1964	omsecor.exe	38
PID 1964 wrote to memory of 2948	1964	omsecor.exe	38
PID 1964 wrote to memory of 2948	1964	omsecor.exe	38
PID 1964 wrote to memory of 2948	1964	omsecor.exe	38
PID 1964 wrote to memory of 2948	1964	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe
"C:\Users\Admin\AppData\Local\Temp\15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe
  C:\Users\Admin\AppData\Local\Temp\15d61bf8d6a1ea48198ee726610e25263a290aa35721adb5b46e60a713f0a3f0N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
34849c9bb38d85136fc8e449ebb7756c

SHA1
fc00718187c51b392a53186e55aa40dc56e5cba0

SHA256
ea6a9d9ddd0ef47bc6ff0a92d724f728a40cac37930e559b133abb0c7396ef31

SHA512
45b97ae5a6caab31fb1ae3f7b8e72385e080a1304a175ea5a8fcb21ac9e742dc2627a56c64e8c690a7a96f623bdb8cb5e99c32d900544b334f9ea68b295c3351

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
aadc6fab3cc47bb7edf8b6f11ee271d5

SHA1
5513a1ac9b088bde29f1e321d57941749b765126

SHA256
51c0ddc037461aa809edbc189f66a99c694188d7f0c3041932b08ba14f8bb4d2

SHA512
f0d9351d5199293176d9b6979cac7c2894ddd1f3c40c156432a6db28f9f418d644d811676a3537a9d1bfb893584aee79c50dadbc793c27fbda3c2d013976f885

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
730082c95e7d27cdba45c2d896b963f0

SHA1
d0aaa4e99e2f88565729b4c8f3b6c15584dd4861

SHA256
bc01e6c4981690bf4face0a0ee249d6da68513040328ede3c88ac04f8360e01c

SHA512
78cd9a05c3dd4c140d6f574e03fae5025d92e659179fd90b852a3067f5597984c01f9d2ab6279d1b0e53b155258bc3965d513fc61e82099bbde0db7519e8cc80

Download Submit
memory/1708-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1708-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1908-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1964-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1964-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2236-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2236-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2364-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2672-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-53-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2672-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2780-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2780-26-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2780-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2948-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download