neconyd | ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe
Size

96KB
MD5

f8a08329c22573430f4c245f838c66a9
SHA1

bae4f0a052a2d0faf497a64949b6ee8fb32d6261
SHA256

ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c
SHA512

ef84286ac76a894c11b1cd6b7bb88ba0d209eb95653ede138be8a1a69f9e442135800680dc63c7690ac2c099bf52f5911687db106e56090605199679c81692ac
SSDEEP

1536:9nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:9Gs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2388	omsecor.exe
2480	omsecor.exe
1664	omsecor.exe
1880	omsecor.exe
3020	omsecor.exe
2052	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1628	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe
1628	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe
2388	omsecor.exe
2480	omsecor.exe
2480	omsecor.exe
1880	omsecor.exe
1880	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 1628	2612	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe	30
PID 2388 set thread context of 2480	2388	omsecor.exe	32
PID 1664 set thread context of 1880	1664	omsecor.exe	36
PID 3020 set thread context of 2052	3020	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1628	2612	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe	30
PID 2612 wrote to memory of 1628	2612	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe	30
PID 2612 wrote to memory of 1628	2612	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe	30
PID 2612 wrote to memory of 1628	2612	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe	30
PID 2612 wrote to memory of 1628	2612	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe	30
PID 2612 wrote to memory of 1628	2612	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe	30
PID 1628 wrote to memory of 2388	1628	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe	31
PID 1628 wrote to memory of 2388	1628	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe	31
PID 1628 wrote to memory of 2388	1628	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe	31
PID 1628 wrote to memory of 2388	1628	ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe	31
PID 2388 wrote to memory of 2480	2388	omsecor.exe	32
PID 2388 wrote to memory of 2480	2388	omsecor.exe	32
PID 2388 wrote to memory of 2480	2388	omsecor.exe	32
PID 2388 wrote to memory of 2480	2388	omsecor.exe	32
PID 2388 wrote to memory of 2480	2388	omsecor.exe	32
PID 2388 wrote to memory of 2480	2388	omsecor.exe	32
PID 2480 wrote to memory of 1664	2480	omsecor.exe	35
PID 2480 wrote to memory of 1664	2480	omsecor.exe	35
PID 2480 wrote to memory of 1664	2480	omsecor.exe	35
PID 2480 wrote to memory of 1664	2480	omsecor.exe	35
PID 1664 wrote to memory of 1880	1664	omsecor.exe	36
PID 1664 wrote to memory of 1880	1664	omsecor.exe	36
PID 1664 wrote to memory of 1880	1664	omsecor.exe	36
PID 1664 wrote to memory of 1880	1664	omsecor.exe	36
PID 1664 wrote to memory of 1880	1664	omsecor.exe	36
PID 1664 wrote to memory of 1880	1664	omsecor.exe	36
PID 1880 wrote to memory of 3020	1880	omsecor.exe	37
PID 1880 wrote to memory of 3020	1880	omsecor.exe	37
PID 1880 wrote to memory of 3020	1880	omsecor.exe	37
PID 1880 wrote to memory of 3020	1880	omsecor.exe	37
PID 3020 wrote to memory of 2052	3020	omsecor.exe	38
PID 3020 wrote to memory of 2052	3020	omsecor.exe	38
PID 3020 wrote to memory of 2052	3020	omsecor.exe	38
PID 3020 wrote to memory of 2052	3020	omsecor.exe	38
PID 3020 wrote to memory of 2052	3020	omsecor.exe	38
PID 3020 wrote to memory of 2052	3020	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe
"C:\Users\Admin\AppData\Local\Temp\ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe
  C:\Users\Admin\AppData\Local\Temp\ef4fa9b004946c519d1df02891808e66f59904036364f3fd8b271d9e072daa7c.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
967e0b4dcbfef0b1b6ebb793811cc2bb

SHA1
3e2c1162b334fb4000e3b9aff0c4feef02d25ea3

SHA256
c772a34d9bc5d96a11662dda1cb8438c89f74b357f597b52cc53cc900dbd664f

SHA512
9a61df8c620c444032f287d99a39db92445e3289a62175b1e1c9243b7f77497d34d595869e8b97598597317210546dd14503fd1f79793984288ac4963ea4cba0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
26a4c4946bba189d39e399c13cee3f39

SHA1
262f9d2ee4cb890fb75fbd3c7cd8e40771797ddf

SHA256
31c1b30406807c10b5b44d0547f379967d331c956c0aa10ec949d3e3aedc151e

SHA512
970fab6dd38d67975fae4e1888d2596a6b9b237833d031d73bde8370df08c72579b1770cfc5ea401d883228651685b8b8779f8fb7147e0cd73d5b1247feeed9b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
5ebf62e82e3cebb7c266c62d2e47eb6f

SHA1
c8bdbc84a0164a0915719f87f2c460b53bddb29d

SHA256
b9b8f17d18c28feb581a19b8efaa86d6683c65fe25e6b3415f5bbdde34ee6ca8

SHA512
56ba72a047ecb1b6ce56bb5fa0e0d10a5dfae7fa872c407484c280f90759b6c8ed6077cd206a1a48cb85ded7d2c3522c0fb8c23d990f3f12d7589c97a14459ec

Download Submit
memory/1628-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1628-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1628-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1628-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1628-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1628-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1664-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1664-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1880-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2052-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2052-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2388-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2480-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-47-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/2480-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2612-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3020-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3020-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download