neconyd | 66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1f

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
Size

134KB
MD5

da15a332b8cf2a85cbc1936c57bfc550
SHA1

b5037b8f1db6eba5bfff0be57f8a531f6bfcb78b
SHA256

66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1f
SHA512

5231cc1cf1e80fe4fa665c4ae8944da68c4d0bc0184af7b5b3adba025caaba1285cadb9dee3e49fb2b85cad03b34fb9b6c1cb4d98329d1662ada3396627df81c
SSDEEP

1536:gDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:WiRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2832	omsecor.exe
2216	omsecor.exe
856	omsecor.exe
536	omsecor.exe
1020	omsecor.exe
2184	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2720	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
2720	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
2832	omsecor.exe
2216	omsecor.exe
2216	omsecor.exe
536	omsecor.exe
536	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 2720	2008	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	30
PID 2832 set thread context of 2216	2832	omsecor.exe	32
PID 856 set thread context of 536	856	omsecor.exe	36
PID 1020 set thread context of 2184	1020	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2720	2008	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	30
PID 2008 wrote to memory of 2720	2008	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	30
PID 2008 wrote to memory of 2720	2008	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	30
PID 2008 wrote to memory of 2720	2008	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	30
PID 2008 wrote to memory of 2720	2008	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	30
PID 2008 wrote to memory of 2720	2008	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	30
PID 2720 wrote to memory of 2832	2720	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	31
PID 2720 wrote to memory of 2832	2720	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	31
PID 2720 wrote to memory of 2832	2720	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	31
PID 2720 wrote to memory of 2832	2720	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	31
PID 2832 wrote to memory of 2216	2832	omsecor.exe	32
PID 2832 wrote to memory of 2216	2832	omsecor.exe	32
PID 2832 wrote to memory of 2216	2832	omsecor.exe	32
PID 2832 wrote to memory of 2216	2832	omsecor.exe	32
PID 2832 wrote to memory of 2216	2832	omsecor.exe	32
PID 2832 wrote to memory of 2216	2832	omsecor.exe	32
PID 2216 wrote to memory of 856	2216	omsecor.exe	35
PID 2216 wrote to memory of 856	2216	omsecor.exe	35
PID 2216 wrote to memory of 856	2216	omsecor.exe	35
PID 2216 wrote to memory of 856	2216	omsecor.exe	35
PID 856 wrote to memory of 536	856	omsecor.exe	36
PID 856 wrote to memory of 536	856	omsecor.exe	36
PID 856 wrote to memory of 536	856	omsecor.exe	36
PID 856 wrote to memory of 536	856	omsecor.exe	36
PID 856 wrote to memory of 536	856	omsecor.exe	36
PID 856 wrote to memory of 536	856	omsecor.exe	36
PID 536 wrote to memory of 1020	536	omsecor.exe	37
PID 536 wrote to memory of 1020	536	omsecor.exe	37
PID 536 wrote to memory of 1020	536	omsecor.exe	37
PID 536 wrote to memory of 1020	536	omsecor.exe	37
PID 1020 wrote to memory of 2184	1020	omsecor.exe	38
PID 1020 wrote to memory of 2184	1020	omsecor.exe	38
PID 1020 wrote to memory of 2184	1020	omsecor.exe	38
PID 1020 wrote to memory of 2184	1020	omsecor.exe	38
PID 1020 wrote to memory of 2184	1020	omsecor.exe	38
PID 1020 wrote to memory of 2184	1020	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
"C:\Users\Admin\AppData\Local\Temp\66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
  C:\Users\Admin\AppData\Local\Temp\66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
aac93333957ff73e37d29234e7ad42ec

SHA1
edb8eb7d719fc902587fc1d888bfbced9fcbe6da

SHA256
50f69b38b68ac43ad709758a6b74ca4b70dda2f4a00950017fed556d10460508

SHA512
ced3f480c3aaa952cea5ad0009be468b068af387b50adf8b5db0eb78929196975fd07ee17ce2f4e2527905a0339224880fe2d3e4a7a4ff0ee19cb58569e85130

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
b7fa46e509cae17363ddc5c61cb9b3aa

SHA1
b0b30666e962b7f48886249c48e804092239e72d

SHA256
09822de336ad9a9483883f52faa7c48924b25d55b0c324b98d90a03db66163ff

SHA512
53b66707a4de42e79d3656173681e6f27b705193cb459b6123317f99d2fcc02cf332908b925f1be80d09b510b6ed96f8769f0e0619e678c84566eab472e6c71e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
cc95097baaae6396ffb2828410aeb793

SHA1
9d50b272cf7f9bbf36e1d08dc08b7704fc3629d5

SHA256
294f4e0d076cb8f4dda9d550b10c9d565e39d2cc3d84159d63e07e2ad77bdd9c

SHA512
6d4e3cb581c3523a777c0f87784fc2492e62d49ad30c575308b34e76fc05f9decb1b3193bc2654fce3d5a2ef23dc52be372b977a24e817d9e436064466c6af00

Download Submit
memory/536-70-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/856-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/856-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1020-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2008-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2008-8-0x0000000000430000-0x0000000000454000-memory.dmp

Filesize
144KB

Download
memory/2008-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2184-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-47-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/2216-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-14-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2832-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-25-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download