neconyd | 80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Size

96KB
MD5

39752c4c63bf4b476d0112e272186b03
SHA1

c020dd4d1d84185880dc87b6426056b2c565879c
SHA256

80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07
SHA512

d8a023728118c10e0f4c47c085170264ab646fb2352acf03770da0a591216668c6f3a61d16abb8c1fe35e3484d9c3db63eddd17d6178353471814b8c4223bdbc
SSDEEP

1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:JGs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2496	omsecor.exe
2312	omsecor.exe
1232	omsecor.exe
2464	omsecor.exe
2076	omsecor.exe
2100	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2592	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
2592	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
2496	omsecor.exe
2312	omsecor.exe
2312	omsecor.exe
2464	omsecor.exe
2464	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 2592	1980	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 2496 set thread context of 2312	2496	omsecor.exe	32
PID 1232 set thread context of 2464	1232	omsecor.exe	36
PID 2076 set thread context of 2100	2076	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2592	1980	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 1980 wrote to memory of 2592	1980	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 1980 wrote to memory of 2592	1980	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 1980 wrote to memory of 2592	1980	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 1980 wrote to memory of 2592	1980	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 1980 wrote to memory of 2592	1980	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 2592 wrote to memory of 2496	2592	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	31
PID 2592 wrote to memory of 2496	2592	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	31
PID 2592 wrote to memory of 2496	2592	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	31
PID 2592 wrote to memory of 2496	2592	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	31
PID 2496 wrote to memory of 2312	2496	omsecor.exe	32
PID 2496 wrote to memory of 2312	2496	omsecor.exe	32
PID 2496 wrote to memory of 2312	2496	omsecor.exe	32
PID 2496 wrote to memory of 2312	2496	omsecor.exe	32
PID 2496 wrote to memory of 2312	2496	omsecor.exe	32
PID 2496 wrote to memory of 2312	2496	omsecor.exe	32
PID 2312 wrote to memory of 1232	2312	omsecor.exe	35
PID 2312 wrote to memory of 1232	2312	omsecor.exe	35
PID 2312 wrote to memory of 1232	2312	omsecor.exe	35
PID 2312 wrote to memory of 1232	2312	omsecor.exe	35
PID 1232 wrote to memory of 2464	1232	omsecor.exe	36
PID 1232 wrote to memory of 2464	1232	omsecor.exe	36
PID 1232 wrote to memory of 2464	1232	omsecor.exe	36
PID 1232 wrote to memory of 2464	1232	omsecor.exe	36
PID 1232 wrote to memory of 2464	1232	omsecor.exe	36
PID 1232 wrote to memory of 2464	1232	omsecor.exe	36
PID 2464 wrote to memory of 2076	2464	omsecor.exe	37
PID 2464 wrote to memory of 2076	2464	omsecor.exe	37
PID 2464 wrote to memory of 2076	2464	omsecor.exe	37
PID 2464 wrote to memory of 2076	2464	omsecor.exe	37
PID 2076 wrote to memory of 2100	2076	omsecor.exe	38
PID 2076 wrote to memory of 2100	2076	omsecor.exe	38
PID 2076 wrote to memory of 2100	2076	omsecor.exe	38
PID 2076 wrote to memory of 2100	2076	omsecor.exe	38
PID 2076 wrote to memory of 2100	2076	omsecor.exe	38
PID 2076 wrote to memory of 2100	2076	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
"C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
  C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
056a0b1e7d2c66672f157cb6ad393425

SHA1
c33378011c7985aa6d0dee97f0b6fc91f2db4f7f

SHA256
53d96dc9a822f303f7791b69959a07db33a34576eec4499e2ece88c0cd76d401

SHA512
98a7d550fbc6cb9fb07774e0a5cdf46640c5f7d6d7285bca61b847684c828f722747014167f6ec5a7eee4254b3bfb8ad6f6116f06b459dd17e4aef8d5c2d0529

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
45573297ae4b01718bddb952d6a7a681

SHA1
f58aad4679fcc4a95bdf2bdad10670bc7ffe925e

SHA256
44146ace43fe64c147efdef06d4698ed9b422ec8a631f141c13cb22a127d419f

SHA512
49f116bbe14ceacd347e0b1dcdcd563e62594353eeb844a67a7663c2e4f81c2637db0a03c25b31fbe442afae8ad64773d589f148cac2a0703d2188deedebd631

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
4c64d9a683af5b19e1499f23e451e4d6

SHA1
4b8c511b58813c8a38e0e90dcd0a45a6a24bf5a0

SHA256
52fb2c0c46fb4295c29754ee0ff08ea338aa4d832b38cad2220afe493d0c0594

SHA512
0f5db53cf660b2238256e8736dd70b75bdb83ddcdd6b3049cc123650163cfeabee87197802e9ebf97f83b0c22682595976bac11b018dc481891a858c6fd6d7e4

Download Submit
memory/1232-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1980-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1980-3-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/1980-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2076-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2076-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2100-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2312-48-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/2312-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2312-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2312-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2312-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2312-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2464-72-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2496-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2496-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2592-15-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2592-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-19-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2592-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download