neconyd | c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe
Size

96KB
MD5

88a830fdf0f96f8643fc290710c0a580
SHA1

68fa6d58b5f014a8061456736413a7cc933805b4
SHA256

c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1
SHA512

7b756edc66fcdf047b49744b3d02bbc988d30c570fa075cbac0be04a157947e5d8c4f6aa6f6b8a08d4daa39a4b5f33b81f9e05adc00bfbd73451ceb53ec33e2c
SSDEEP

1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:JGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2172	omsecor.exe
2076	omsecor.exe
2408	omsecor.exe
1920	omsecor.exe
1556	omsecor.exe
2988	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2024	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe
2024	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe
2172	omsecor.exe
2076	omsecor.exe
2076	omsecor.exe
1920	omsecor.exe
1920	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2068 set thread context of 2024	2068	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe	30
PID 2172 set thread context of 2076	2172	omsecor.exe	32
PID 2408 set thread context of 1920	2408	omsecor.exe	36
PID 1556 set thread context of 2988	1556	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2024	2068	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe	30
PID 2068 wrote to memory of 2024	2068	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe	30
PID 2068 wrote to memory of 2024	2068	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe	30
PID 2068 wrote to memory of 2024	2068	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe	30
PID 2068 wrote to memory of 2024	2068	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe	30
PID 2068 wrote to memory of 2024	2068	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe	30
PID 2024 wrote to memory of 2172	2024	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe	31
PID 2024 wrote to memory of 2172	2024	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe	31
PID 2024 wrote to memory of 2172	2024	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe	31
PID 2024 wrote to memory of 2172	2024	c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe	31
PID 2172 wrote to memory of 2076	2172	omsecor.exe	32
PID 2172 wrote to memory of 2076	2172	omsecor.exe	32
PID 2172 wrote to memory of 2076	2172	omsecor.exe	32
PID 2172 wrote to memory of 2076	2172	omsecor.exe	32
PID 2172 wrote to memory of 2076	2172	omsecor.exe	32
PID 2172 wrote to memory of 2076	2172	omsecor.exe	32
PID 2076 wrote to memory of 2408	2076	omsecor.exe	35
PID 2076 wrote to memory of 2408	2076	omsecor.exe	35
PID 2076 wrote to memory of 2408	2076	omsecor.exe	35
PID 2076 wrote to memory of 2408	2076	omsecor.exe	35
PID 2408 wrote to memory of 1920	2408	omsecor.exe	36
PID 2408 wrote to memory of 1920	2408	omsecor.exe	36
PID 2408 wrote to memory of 1920	2408	omsecor.exe	36
PID 2408 wrote to memory of 1920	2408	omsecor.exe	36
PID 2408 wrote to memory of 1920	2408	omsecor.exe	36
PID 2408 wrote to memory of 1920	2408	omsecor.exe	36
PID 1920 wrote to memory of 1556	1920	omsecor.exe	37
PID 1920 wrote to memory of 1556	1920	omsecor.exe	37
PID 1920 wrote to memory of 1556	1920	omsecor.exe	37
PID 1920 wrote to memory of 1556	1920	omsecor.exe	37
PID 1556 wrote to memory of 2988	1556	omsecor.exe	38
PID 1556 wrote to memory of 2988	1556	omsecor.exe	38
PID 1556 wrote to memory of 2988	1556	omsecor.exe	38
PID 1556 wrote to memory of 2988	1556	omsecor.exe	38
PID 1556 wrote to memory of 2988	1556	omsecor.exe	38
PID 1556 wrote to memory of 2988	1556	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe
"C:\Users\Admin\AppData\Local\Temp\c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe
  C:\Users\Admin\AppData\Local\Temp\c82485549b0da04a1f6001b982166dee43b265038b56bb02f6cbd7a5972359f1N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
79c6288b99bfde226ea4f9ba645f6d08

SHA1
fd7ce5ce79dd1c8662d583eb700acab3e49061fc

SHA256
da1223ebe8ae371ba4444710cfabb99cc5a0a24d5b9d55d54b2d67acedacda26

SHA512
26a949bcb8b033cc11c9fc21fae34306a67d4f9134cb714dde71eb25a319ca166a0fcbdf1cd728b75166a6f5b4f5a2a58687e4e8355a9b5df59b1247781b089c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
afebc7712a0118848ba21c9c8a0409a1

SHA1
1cf32899d198ea86bd93cf4a9d517169fb8ca930

SHA256
1f4b6bacad76d92fbc5d20f84f664d9df9b2b5b8478c9040c040e7d23a1c31a1

SHA512
050e0ccceb071edffedbea976ca8719eef04dc5437a7e2c9279b0675c54fb051c8a065a18a6df4cb7d55bbb7b9967c1f15586bacb0b700f66ba68f81c20af0f3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
35aa0924e8008a57c9ba71eaf3798566

SHA1
1efc7b1ef4d6f4310923acc7a037c434b94a2a1b

SHA256
a1c22626aebe124e85fd22ad7ea7d6ab4858a4ec383b96b06fdb3f499ff8a104

SHA512
5b66907e008e9db24eabae49b04a64d239ab70924fb7df51bda947882bca19018e4812fce4e15a95761a3c394d4258ae28e31ea1d972706b70e50aac61d63026

Download Submit
memory/1556-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1556-82-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1920-73-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/1920-80-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2024-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2024-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-15-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2024-21-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2068-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2068-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2076-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-48-0x00000000002E0000-0x0000000000303000-memory.dmp

Filesize
140KB

Download
memory/2076-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2172-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2172-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2988-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download