neconyd | f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe
Size

96KB
MD5

d1fb484be032bf88d1ef0bc194c69c51
SHA1

e1f932d917d0f5597a270a1b9fedd81d6b7e0d7e
SHA256

f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a
SHA512

f78b60fef01b290a43708cc842bb48ce2cd4f55c473933f64de1db5af3bf3cd69313379a47966257ed90214ec713c1f89e3a785214403fd3c9abd9d0118da5f4
SSDEEP

1536:NnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:NGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2724	omsecor.exe
2692	omsecor.exe
2076	omsecor.exe
532	omsecor.exe
2080	omsecor.exe
3004	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2828	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe
2828	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe
2724	omsecor.exe
2692	omsecor.exe
2692	omsecor.exe
532	omsecor.exe
532	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 2828	2696	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe	30
PID 2724 set thread context of 2692	2724	omsecor.exe	32
PID 2076 set thread context of 532	2076	omsecor.exe	36
PID 2080 set thread context of 3004	2080	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2828	2696	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe	30
PID 2696 wrote to memory of 2828	2696	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe	30
PID 2696 wrote to memory of 2828	2696	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe	30
PID 2696 wrote to memory of 2828	2696	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe	30
PID 2696 wrote to memory of 2828	2696	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe	30
PID 2696 wrote to memory of 2828	2696	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe	30
PID 2828 wrote to memory of 2724	2828	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe	31
PID 2828 wrote to memory of 2724	2828	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe	31
PID 2828 wrote to memory of 2724	2828	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe	31
PID 2828 wrote to memory of 2724	2828	f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe	31
PID 2724 wrote to memory of 2692	2724	omsecor.exe	32
PID 2724 wrote to memory of 2692	2724	omsecor.exe	32
PID 2724 wrote to memory of 2692	2724	omsecor.exe	32
PID 2724 wrote to memory of 2692	2724	omsecor.exe	32
PID 2724 wrote to memory of 2692	2724	omsecor.exe	32
PID 2724 wrote to memory of 2692	2724	omsecor.exe	32
PID 2692 wrote to memory of 2076	2692	omsecor.exe	35
PID 2692 wrote to memory of 2076	2692	omsecor.exe	35
PID 2692 wrote to memory of 2076	2692	omsecor.exe	35
PID 2692 wrote to memory of 2076	2692	omsecor.exe	35
PID 2076 wrote to memory of 532	2076	omsecor.exe	36
PID 2076 wrote to memory of 532	2076	omsecor.exe	36
PID 2076 wrote to memory of 532	2076	omsecor.exe	36
PID 2076 wrote to memory of 532	2076	omsecor.exe	36
PID 2076 wrote to memory of 532	2076	omsecor.exe	36
PID 2076 wrote to memory of 532	2076	omsecor.exe	36
PID 532 wrote to memory of 2080	532	omsecor.exe	37
PID 532 wrote to memory of 2080	532	omsecor.exe	37
PID 532 wrote to memory of 2080	532	omsecor.exe	37
PID 532 wrote to memory of 2080	532	omsecor.exe	37
PID 2080 wrote to memory of 3004	2080	omsecor.exe	38
PID 2080 wrote to memory of 3004	2080	omsecor.exe	38
PID 2080 wrote to memory of 3004	2080	omsecor.exe	38
PID 2080 wrote to memory of 3004	2080	omsecor.exe	38
PID 2080 wrote to memory of 3004	2080	omsecor.exe	38
PID 2080 wrote to memory of 3004	2080	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe
"C:\Users\Admin\AppData\Local\Temp\f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe
  C:\Users\Admin\AppData\Local\Temp\f92138b1c6726541ac127925284096f2285609faf68a91fe37eea53fd3218c3a.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
bc2dc235c91f87ff194c3174214cdc4f

SHA1
dc7fc4919f887151164b70dd9651c4d4e187eaf9

SHA256
261b66971358b5ca786c4a651ad906fc9e7dae13530bdda49332da6239456cae

SHA512
7ce9d26ef3afdff28e9d6b4b3e858ae6e7928e22ab6416c69f478fe695b652e4dc8e4d72a53560a74a5ef0f5d58ea672d264ef76ea66da334cc95e0d115b2f2f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ccfdb7d6d90eecaf64a94573cd03485d

SHA1
f07e0077f5e208d37578ab91e98c23819c2e0868

SHA256
e2542646923d0707274935c9cd363512dd00558c2bb73f7ed1c1c76ba0d5f225

SHA512
14759d825526c0535fa914f14c7fba6b2ce99a2fafcc78b7565862baf0b0e86ed2bba5928765250922208f90a9631694551e181db88b3b43b6d7eff9220c1bb1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b18437b54986469a0073da3dcfbbb527

SHA1
89b07be430c99bba2c9f493bf5793024f354ddc5

SHA256
f6d3d86813e9e9c1be41f218b8f72845a6e6cd80428829b97c9c65a192d57a88

SHA512
6480b9f55da1be584c5769514f7f5477934f224b1b7011473405d549c4b353ff9092425febdc5ea0497ede3798aa5e576ce65d36122e085a6e22d08ec3efbbd3

Download Submit
memory/532-78-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2076-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2080-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2080-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2692-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-48-0x00000000005D0000-0x00000000005F3000-memory.dmp

Filesize
140KB

Download
memory/2692-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2696-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2724-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2724-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2828-19-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2828-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-17-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2828-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3004-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3004-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download