neconyd | 7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
Size

96KB
MD5

faba6b8efda574d5b206e71c9b0f0290
SHA1

f327efa0815365a06c2d7a32a9b0fdc8c814e59d
SHA256

7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670
SHA512

82bd7b26a497245203d5a02934d61407234814b8e3f4f369f77d9c16f805295678208f0e8681bf869deb60612dfaa522624c87567eb1330f7463d2bdbf82b515
SSDEEP

1536:AnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:AGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1784	omsecor.exe
2252	omsecor.exe
2272	omsecor.exe
1984	omsecor.exe
1492	omsecor.exe
1864	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2520	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
2520	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
1784	omsecor.exe
2252	omsecor.exe
2252	omsecor.exe
1984	omsecor.exe
1984	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 2520	1668	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	31
PID 1784 set thread context of 2252	1784	omsecor.exe	33
PID 2272 set thread context of 1984	2272	omsecor.exe	37
PID 1492 set thread context of 1864	1492	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2520	1668	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	31
PID 1668 wrote to memory of 2520	1668	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	31
PID 1668 wrote to memory of 2520	1668	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	31
PID 1668 wrote to memory of 2520	1668	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	31
PID 1668 wrote to memory of 2520	1668	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	31
PID 1668 wrote to memory of 2520	1668	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	31
PID 2520 wrote to memory of 1784	2520	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	32
PID 2520 wrote to memory of 1784	2520	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	32
PID 2520 wrote to memory of 1784	2520	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	32
PID 2520 wrote to memory of 1784	2520	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	32
PID 1784 wrote to memory of 2252	1784	omsecor.exe	33
PID 1784 wrote to memory of 2252	1784	omsecor.exe	33
PID 1784 wrote to memory of 2252	1784	omsecor.exe	33
PID 1784 wrote to memory of 2252	1784	omsecor.exe	33
PID 1784 wrote to memory of 2252	1784	omsecor.exe	33
PID 1784 wrote to memory of 2252	1784	omsecor.exe	33
PID 2252 wrote to memory of 2272	2252	omsecor.exe	36
PID 2252 wrote to memory of 2272	2252	omsecor.exe	36
PID 2252 wrote to memory of 2272	2252	omsecor.exe	36
PID 2252 wrote to memory of 2272	2252	omsecor.exe	36
PID 2272 wrote to memory of 1984	2272	omsecor.exe	37
PID 2272 wrote to memory of 1984	2272	omsecor.exe	37
PID 2272 wrote to memory of 1984	2272	omsecor.exe	37
PID 2272 wrote to memory of 1984	2272	omsecor.exe	37
PID 2272 wrote to memory of 1984	2272	omsecor.exe	37
PID 2272 wrote to memory of 1984	2272	omsecor.exe	37
PID 1984 wrote to memory of 1492	1984	omsecor.exe	38
PID 1984 wrote to memory of 1492	1984	omsecor.exe	38
PID 1984 wrote to memory of 1492	1984	omsecor.exe	38
PID 1984 wrote to memory of 1492	1984	omsecor.exe	38
PID 1492 wrote to memory of 1864	1492	omsecor.exe	39
PID 1492 wrote to memory of 1864	1492	omsecor.exe	39
PID 1492 wrote to memory of 1864	1492	omsecor.exe	39
PID 1492 wrote to memory of 1864	1492	omsecor.exe	39
PID 1492 wrote to memory of 1864	1492	omsecor.exe	39
PID 1492 wrote to memory of 1864	1492	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
"C:\Users\Admin\AppData\Local\Temp\7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
  C:\Users\Admin\AppData\Local\Temp\7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
68eb1220585ba097197cb66d41e54b26

SHA1
6374d089eeb2c0ce3c75fed371b6a26dfd579591

SHA256
bf50d35bd54110196313dc58854973498b0b0cab4820876c30b147efb6ba7254

SHA512
f554336f5caa3b679b0fa327f8897c3b410645fb2862fe4c08f6396efa7d7c6a949f224e8f3748f99fcc1e3ca3e477c1cd0b981cab77fc70e8a6a3590a232943

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4121198b04a5f06baac365412c410b84

SHA1
39181973d743006d4dc492fcfb9cebe231403f56

SHA256
3fd47075e7c36c27a837876bdb3d644ae8a092ff2fbfcb3c32a33ff51cb0c188

SHA512
a72ed9854f86441dc948bc48dfc7c6dba6a39b88f1b1a740a1d1245b632fa717503c9b6523af290d83ac6d19f7470bc473865838b073cbee905139f8c3220247

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c8e9208fcf18efb40257cd80bcabe0a8

SHA1
c55e2bcb2bc2b078c721a402dff30ad168e8fa60

SHA256
a0ca11e96f46e0909d9f62362eae6d2c45811981bc9b99ba7c17331ebe66b784

SHA512
b2d97d8e831988a27fcfffc72d0684519d4a4632bf7f7313b889d34c83a7d389e4fb7904487307740a5e64c4efb3f8ed84e1196674cca2c38136b913984c23f8

Download Submit
memory/1492-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1668-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1668-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1784-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1784-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1864-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-55-0x00000000003A0000-0x00000000003C3000-memory.dmp

Filesize
140KB

Download
memory/2252-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-48-0x00000000003A0000-0x00000000003C3000-memory.dmp

Filesize
140KB

Download
memory/2252-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2272-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2272-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2520-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-14-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2520-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2520-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download