neconyd | 6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09eb

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe
Size

96KB
MD5

2b0d9b24b917d244b0ce5640b7596c80
SHA1

f640aecf865601f6bcf491a1b0a41456c0d95108
SHA256

6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09eb
SHA512

aeafef6fc8aeca78b9424611933b4e7b3fd945695c474f99bd02efbd24238b53343bf4e3d1fb47249b51584940f125041861e5a775fbf84ae3946eedf2ce1afb
SSDEEP

1536:anAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:aGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1924	omsecor.exe
1996	omsecor.exe
2704	omsecor.exe
2964	omsecor.exe
2960	omsecor.exe
2428	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2016	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe
2016	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe
1924	omsecor.exe
1996	omsecor.exe
1996	omsecor.exe
2964	omsecor.exe
2964	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1916 set thread context of 2016	1916	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe	30
PID 1924 set thread context of 1996	1924	omsecor.exe	32
PID 2704 set thread context of 2964	2704	omsecor.exe	36
PID 2960 set thread context of 2428	2960	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2016	1916	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe	30
PID 1916 wrote to memory of 2016	1916	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe	30
PID 1916 wrote to memory of 2016	1916	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe	30
PID 1916 wrote to memory of 2016	1916	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe	30
PID 1916 wrote to memory of 2016	1916	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe	30
PID 1916 wrote to memory of 2016	1916	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe	30
PID 2016 wrote to memory of 1924	2016	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe	31
PID 2016 wrote to memory of 1924	2016	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe	31
PID 2016 wrote to memory of 1924	2016	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe	31
PID 2016 wrote to memory of 1924	2016	6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe	31
PID 1924 wrote to memory of 1996	1924	omsecor.exe	32
PID 1924 wrote to memory of 1996	1924	omsecor.exe	32
PID 1924 wrote to memory of 1996	1924	omsecor.exe	32
PID 1924 wrote to memory of 1996	1924	omsecor.exe	32
PID 1924 wrote to memory of 1996	1924	omsecor.exe	32
PID 1924 wrote to memory of 1996	1924	omsecor.exe	32
PID 1996 wrote to memory of 2704	1996	omsecor.exe	35
PID 1996 wrote to memory of 2704	1996	omsecor.exe	35
PID 1996 wrote to memory of 2704	1996	omsecor.exe	35
PID 1996 wrote to memory of 2704	1996	omsecor.exe	35
PID 2704 wrote to memory of 2964	2704	omsecor.exe	36
PID 2704 wrote to memory of 2964	2704	omsecor.exe	36
PID 2704 wrote to memory of 2964	2704	omsecor.exe	36
PID 2704 wrote to memory of 2964	2704	omsecor.exe	36
PID 2704 wrote to memory of 2964	2704	omsecor.exe	36
PID 2704 wrote to memory of 2964	2704	omsecor.exe	36
PID 2964 wrote to memory of 2960	2964	omsecor.exe	37
PID 2964 wrote to memory of 2960	2964	omsecor.exe	37
PID 2964 wrote to memory of 2960	2964	omsecor.exe	37
PID 2964 wrote to memory of 2960	2964	omsecor.exe	37
PID 2960 wrote to memory of 2428	2960	omsecor.exe	38
PID 2960 wrote to memory of 2428	2960	omsecor.exe	38
PID 2960 wrote to memory of 2428	2960	omsecor.exe	38
PID 2960 wrote to memory of 2428	2960	omsecor.exe	38
PID 2960 wrote to memory of 2428	2960	omsecor.exe	38
PID 2960 wrote to memory of 2428	2960	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe
"C:\Users\Admin\AppData\Local\Temp\6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe
  C:\Users\Admin\AppData\Local\Temp\6ac570df977b5acbea1901eea5523e42f1216ea68786901c04a78e69111a09ebN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
99586e7a6401b3f207f04d2562f758bf

SHA1
5689d610a27722ec4ea0910a43761ee09b75958b

SHA256
37b18957375d803dc862c48c3c7f4ee55a5725764c805aa94c1bca876ae4e41c

SHA512
1d70482802d629c9a103599a75cf114eace88a79e04783547c21c65e79b1960ab827cabbbd3b873ba6b30957f8a68c919ff3ee54cc43b93c6092a70e4e620ef8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
268485462c75ce4d6a560966f78a9b31

SHA1
b066f604c2446e9aa6803cccb0d49fe9943d5fa9

SHA256
3f24b34b46383ae0f1235ff7a30be5a29beb2f057bc50a803f78670fcc452c12

SHA512
c22d7e51e25440c2b9c2cd51c56e2bcb804ff6b11e08039baded27a8104b2cbd03197abd8a15ad6b4f775482b088b8c0baa274e54ae5afc46085c1bef80385bc

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
5ac4268cda3ebb65f098d08379f28474

SHA1
d9778cadb383dfbfff11b131d80357f42839d7af

SHA256
60e1ea92acb74113b5ded70a4c78ef225d4742bc50813a58f75a34ecb2c368c8

SHA512
4e39ea30cea287bbf6c692c39119e7ef21e6c8865e4963dd1eed4acb69b1656c139dd9b87eac8a9482bdefbbff0a98e21bbe68ad44d5bb4b9f0c8b041b9d4aa5

Download Submit
memory/1916-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1916-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1924-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1924-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1996-46-0x00000000026B0000-0x00000000026D3000-memory.dmp

Filesize
140KB

Download
memory/1996-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1996-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1996-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1996-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1996-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2016-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2704-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2960-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2960-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2964-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download