neconyd | 80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Size

96KB
MD5

39752c4c63bf4b476d0112e272186b03
SHA1

c020dd4d1d84185880dc87b6426056b2c565879c
SHA256

80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07
SHA512

d8a023728118c10e0f4c47c085170264ab646fb2352acf03770da0a591216668c6f3a61d16abb8c1fe35e3484d9c3db63eddd17d6178353471814b8c4223bdbc
SSDEEP

1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:JGs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2476	omsecor.exe
2236	omsecor.exe
1908	omsecor.exe
2384	omsecor.exe
2212	omsecor.exe
1428	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1676	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
1676	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
2476	omsecor.exe
2236	omsecor.exe
2236	omsecor.exe
2384	omsecor.exe
2384	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2160 set thread context of 1676	2160	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 2476 set thread context of 2236	2476	omsecor.exe	32
PID 1908 set thread context of 2384	1908	omsecor.exe	36
PID 2212 set thread context of 1428	2212	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1676	2160	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 2160 wrote to memory of 1676	2160	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 2160 wrote to memory of 1676	2160	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 2160 wrote to memory of 1676	2160	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 2160 wrote to memory of 1676	2160	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 2160 wrote to memory of 1676	2160	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	30
PID 1676 wrote to memory of 2476	1676	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	31
PID 1676 wrote to memory of 2476	1676	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	31
PID 1676 wrote to memory of 2476	1676	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	31
PID 1676 wrote to memory of 2476	1676	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	31
PID 2476 wrote to memory of 2236	2476	omsecor.exe	32
PID 2476 wrote to memory of 2236	2476	omsecor.exe	32
PID 2476 wrote to memory of 2236	2476	omsecor.exe	32
PID 2476 wrote to memory of 2236	2476	omsecor.exe	32
PID 2476 wrote to memory of 2236	2476	omsecor.exe	32
PID 2476 wrote to memory of 2236	2476	omsecor.exe	32
PID 2236 wrote to memory of 1908	2236	omsecor.exe	35
PID 2236 wrote to memory of 1908	2236	omsecor.exe	35
PID 2236 wrote to memory of 1908	2236	omsecor.exe	35
PID 2236 wrote to memory of 1908	2236	omsecor.exe	35
PID 1908 wrote to memory of 2384	1908	omsecor.exe	36
PID 1908 wrote to memory of 2384	1908	omsecor.exe	36
PID 1908 wrote to memory of 2384	1908	omsecor.exe	36
PID 1908 wrote to memory of 2384	1908	omsecor.exe	36
PID 1908 wrote to memory of 2384	1908	omsecor.exe	36
PID 1908 wrote to memory of 2384	1908	omsecor.exe	36
PID 2384 wrote to memory of 2212	2384	omsecor.exe	37
PID 2384 wrote to memory of 2212	2384	omsecor.exe	37
PID 2384 wrote to memory of 2212	2384	omsecor.exe	37
PID 2384 wrote to memory of 2212	2384	omsecor.exe	37
PID 2212 wrote to memory of 1428	2212	omsecor.exe	38
PID 2212 wrote to memory of 1428	2212	omsecor.exe	38
PID 2212 wrote to memory of 1428	2212	omsecor.exe	38
PID 2212 wrote to memory of 1428	2212	omsecor.exe	38
PID 2212 wrote to memory of 1428	2212	omsecor.exe	38
PID 2212 wrote to memory of 1428	2212	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
"C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
  C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
056a0b1e7d2c66672f157cb6ad393425

SHA1
c33378011c7985aa6d0dee97f0b6fc91f2db4f7f

SHA256
53d96dc9a822f303f7791b69959a07db33a34576eec4499e2ece88c0cd76d401

SHA512
98a7d550fbc6cb9fb07774e0a5cdf46640c5f7d6d7285bca61b847684c828f722747014167f6ec5a7eee4254b3bfb8ad6f6116f06b459dd17e4aef8d5c2d0529

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7e3dd25fdf262e08ab7ef6d862ada8f5

SHA1
d235ab9174cf031b67c4b6e1c7bccb77f0148455

SHA256
5bd3341493926231e9660f78efa18dc4ba27f7682040c1d0943585049a1949da

SHA512
036238d39875b09ea8b853bbae39332c373ffc51a920e23f6c8bf16fadf4e5fb89387abd97aa22ccbad3a36849831cb6d998f1254c15d8f1a61a515fa9ac70f3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
86fbc8b0496dabfe9349a68dafcf7ffb

SHA1
c587e56e35ccc2241d716ecbff8068a0497bdb87

SHA256
87c65f92905a82efadbee9cb419487430d6dccec967f65bba2bd8551b3d93a8c

SHA512
a3040528934cfe10ce1a5e44a4e9079a4399b3b41035d91e7f0a046f97189644ac59a40ab7959c579d32d318937231f7a81ec7fddc09d25aaac3a7815b1d6f95

Download Submit
memory/1428-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1428-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1676-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1676-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1676-15-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/1676-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1676-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1676-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1908-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2160-7-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2160-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2160-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2212-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2212-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2236-49-0x0000000000820000-0x0000000000843000-memory.dmp

Filesize
140KB

Download
memory/2236-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2384-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2476-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2476-26-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2476-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download