neconyd | 0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/12/2024, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
Size

96KB
MD5

14d561cfa5fce0bd354d39de071973ae
SHA1

15902cd3741f7e31a29660bbff5459e1d5a076a0
SHA256

0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e
SHA512

79075baf6cecece7a68afbe0d601d44e8af107a79a31bfd1d6f0c9633c5a5539b19ed0d57e6d8c1ab834aa29952dd5d66eafa44bdaf42417dd4b9599a4661629
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:QGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1340	omsecor.exe
1968	omsecor.exe
2036	omsecor.exe
1552	omsecor.exe
808	omsecor.exe
1796	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2192	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
2192	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
1340	omsecor.exe
1968	omsecor.exe
1968	omsecor.exe
1552	omsecor.exe
1552	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2452 set thread context of 2192	2452	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	30
PID 1340 set thread context of 1968	1340	omsecor.exe	32
PID 2036 set thread context of 1552	2036	omsecor.exe	36
PID 808 set thread context of 1796	808	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2192	2452	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	30
PID 2452 wrote to memory of 2192	2452	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	30
PID 2452 wrote to memory of 2192	2452	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	30
PID 2452 wrote to memory of 2192	2452	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	30
PID 2452 wrote to memory of 2192	2452	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	30
PID 2452 wrote to memory of 2192	2452	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	30
PID 2192 wrote to memory of 1340	2192	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	31
PID 2192 wrote to memory of 1340	2192	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	31
PID 2192 wrote to memory of 1340	2192	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	31
PID 2192 wrote to memory of 1340	2192	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	31
PID 1340 wrote to memory of 1968	1340	omsecor.exe	32
PID 1340 wrote to memory of 1968	1340	omsecor.exe	32
PID 1340 wrote to memory of 1968	1340	omsecor.exe	32
PID 1340 wrote to memory of 1968	1340	omsecor.exe	32
PID 1340 wrote to memory of 1968	1340	omsecor.exe	32
PID 1340 wrote to memory of 1968	1340	omsecor.exe	32
PID 1968 wrote to memory of 2036	1968	omsecor.exe	35
PID 1968 wrote to memory of 2036	1968	omsecor.exe	35
PID 1968 wrote to memory of 2036	1968	omsecor.exe	35
PID 1968 wrote to memory of 2036	1968	omsecor.exe	35
PID 2036 wrote to memory of 1552	2036	omsecor.exe	36
PID 2036 wrote to memory of 1552	2036	omsecor.exe	36
PID 2036 wrote to memory of 1552	2036	omsecor.exe	36
PID 2036 wrote to memory of 1552	2036	omsecor.exe	36
PID 2036 wrote to memory of 1552	2036	omsecor.exe	36
PID 2036 wrote to memory of 1552	2036	omsecor.exe	36
PID 1552 wrote to memory of 808	1552	omsecor.exe	37
PID 1552 wrote to memory of 808	1552	omsecor.exe	37
PID 1552 wrote to memory of 808	1552	omsecor.exe	37
PID 1552 wrote to memory of 808	1552	omsecor.exe	37
PID 808 wrote to memory of 1796	808	omsecor.exe	38
PID 808 wrote to memory of 1796	808	omsecor.exe	38
PID 808 wrote to memory of 1796	808	omsecor.exe	38
PID 808 wrote to memory of 1796	808	omsecor.exe	38
PID 808 wrote to memory of 1796	808	omsecor.exe	38
PID 808 wrote to memory of 1796	808	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
"C:\Users\Admin\AppData\Local\Temp\0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
  C:\Users\Admin\AppData\Local\Temp\0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0d94f2f9ce58c6512ecccde2407fec6b

SHA1
460dd6382baf7903d034191fd9540f07d3e64181

SHA256
5ae4e3d22700fcca42a7fb2d5d8b64944272d7fd50befe7d069a966ec85accd7

SHA512
0ec68ee2ddec73ccb175a5e1a759dc92fa5cb9f79baeadc5d9b2fe4ab0dc5aae74855b5ad1b2d18e304aeb1495a314405123c50e35a7b56b09cb044464c6314a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
6d593cda89672eff133f53ea3eecae25

SHA1
783ebb2954dae6f4f5acc4dfc39ee310c5f99b51

SHA256
067baf46274d3f4ef7a0bcdd07a6d326670df358c4b3ff24b8a315671b8fb88f

SHA512
cb4d41834617185aa3c2901a6e6e6e0f12a3d6d45fe84bfdaee0910fb9bfcd9e390cf834146438679b152b3974ed2cb8fc38ce8333d1e89e42cb32fd834fdcd5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
497210e16f54b064b2a5e3d93e752197

SHA1
15f4251d799550f9b487cf2cf5f5501c4c38f9fd

SHA256
bb072f9aa5dbb8a8aed3cec489b87ac0362b1fe502c44307454063728162f48d

SHA512
f39679d8421a60ff342c911a2c1cd9aad5c9d9c64d774a7858cf05715a2840425c6d67ec48da0d130580a3b1924e9403bfe8119a40d17f84014479ce4b212fab

Download Submit
memory/808-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/808-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1340-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1340-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1552-71-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/1796-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1796-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1968-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1968-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1968-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1968-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1968-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1968-47-0x0000000000360000-0x0000000000383000-memory.dmp

Filesize
140KB

Download
memory/2036-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2192-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2192-14-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/2192-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2452-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2452-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download