neconyd | b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe
Size

96KB
MD5

17f0de6dbf2844af1cf0c355ddab6552
SHA1

a6fb2c6b1b25345237a3e58ec9163224803d0ba4
SHA256

b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951
SHA512

7788b17e1ea8236fd5400db1cea4b367d2a8c5e5e54ab99e7669ac9f89fa2e002c353589971cc888a082470d3e8d753c441598c60895e2568be6c229a4f0d68d
SSDEEP

1536:anAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxj:aGs8cd8eXlYairZYqMddH13j

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2756	omsecor.exe
2736	omsecor.exe
1940	omsecor.exe
1996	omsecor.exe
2004	omsecor.exe
1864	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2988	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe
2988	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe
2756	omsecor.exe
2736	omsecor.exe
2736	omsecor.exe
1996	omsecor.exe
1996	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 2988	2192	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe	28
PID 2756 set thread context of 2736	2756	omsecor.exe	30
PID 1940 set thread context of 1996	1940	omsecor.exe	35
PID 2004 set thread context of 1864	2004	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2988	2192	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe	28
PID 2192 wrote to memory of 2988	2192	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe	28
PID 2192 wrote to memory of 2988	2192	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe	28
PID 2192 wrote to memory of 2988	2192	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe	28
PID 2192 wrote to memory of 2988	2192	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe	28
PID 2192 wrote to memory of 2988	2192	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe	28
PID 2988 wrote to memory of 2756	2988	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe	29
PID 2988 wrote to memory of 2756	2988	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe	29
PID 2988 wrote to memory of 2756	2988	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe	29
PID 2988 wrote to memory of 2756	2988	b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe	29
PID 2756 wrote to memory of 2736	2756	omsecor.exe	30
PID 2756 wrote to memory of 2736	2756	omsecor.exe	30
PID 2756 wrote to memory of 2736	2756	omsecor.exe	30
PID 2756 wrote to memory of 2736	2756	omsecor.exe	30
PID 2756 wrote to memory of 2736	2756	omsecor.exe	30
PID 2756 wrote to memory of 2736	2756	omsecor.exe	30
PID 2736 wrote to memory of 1940	2736	omsecor.exe	34
PID 2736 wrote to memory of 1940	2736	omsecor.exe	34
PID 2736 wrote to memory of 1940	2736	omsecor.exe	34
PID 2736 wrote to memory of 1940	2736	omsecor.exe	34
PID 1940 wrote to memory of 1996	1940	omsecor.exe	35
PID 1940 wrote to memory of 1996	1940	omsecor.exe	35
PID 1940 wrote to memory of 1996	1940	omsecor.exe	35
PID 1940 wrote to memory of 1996	1940	omsecor.exe	35
PID 1940 wrote to memory of 1996	1940	omsecor.exe	35
PID 1940 wrote to memory of 1996	1940	omsecor.exe	35
PID 1996 wrote to memory of 2004	1996	omsecor.exe	36
PID 1996 wrote to memory of 2004	1996	omsecor.exe	36
PID 1996 wrote to memory of 2004	1996	omsecor.exe	36
PID 1996 wrote to memory of 2004	1996	omsecor.exe	36
PID 2004 wrote to memory of 1864	2004	omsecor.exe	37
PID 2004 wrote to memory of 1864	2004	omsecor.exe	37
PID 2004 wrote to memory of 1864	2004	omsecor.exe	37
PID 2004 wrote to memory of 1864	2004	omsecor.exe	37
PID 2004 wrote to memory of 1864	2004	omsecor.exe	37
PID 2004 wrote to memory of 1864	2004	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe
"C:\Users\Admin\AppData\Local\Temp\b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe
  C:\Users\Admin\AppData\Local\Temp\b9b498eabd4d374a02c4c5893a1a6c09b6e2a29ec3bc7b78a72b9169b6c6c951.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c83ddba5c2c33d99e260365e37e3820f

SHA1
c4e45a1b5529bf3a9cf321ba1df841128d6640be

SHA256
c050ba5b693195343f20f7136f5b733030b87db476a8090f2c84019b4aebab85

SHA512
465aacdf2b26bed90c3f351270ddc7746e82ed24a34a34a74088ca05000660f339c21237142662439e7452a064adc3ca69d786d0abb649f49e9f399d7d4bcf49

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f3550972497725cfa0093ce004538eb9

SHA1
8f7f4460ffcd0be50fe9b8966f5f199b0719f54c

SHA256
12f1c250b52f219f4e97cefa15a57addfc978926f7bb345f8bffad7442c20b8c

SHA512
95fa520f0677ebbd3a924dcd56b4594b2064461020fbbbd6ed52a93ac02b1f4d6a77761d779e3e32d89c648be50301cdfafdfc787eabc63461bd0bcb77f217f0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b6244a1e7736218448e9e03e860f3dcc

SHA1
6ae3d1a44bae518f9c9e7cfc7f53a6f1b104803e

SHA256
c38e10e51d58441c15cb3bb391baef1fbd01b45f2e26cbe01ee99332dd5b5556

SHA512
b2524e9ec12986f513ba10daba2c2fb194d0305f6e5d531b9879204d75edf23c58cf46cb0f0ec8bcbe058d4ed8aecb572887307bac6f779b6c2311aa432bf51a

Download Submit
memory/1864-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1940-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1940-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1996-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2004-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2004-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2192-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2192-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-48-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2736-55-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2756-24-0x0000000000360000-0x0000000000383000-memory.dmp

Filesize
140KB

Download
memory/2756-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2756-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2988-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download