neconyd | b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe
Size

96KB
MD5

31e55980ad69426261b8860429ee0c21
SHA1

4080b76d20fd5ab5cea415c344d98db4fa0731ef
SHA256

b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800
SHA512

8367438a0443204df982b1930f847de29cf233c0562030d8bb25201e70c01e10fd9abdccee88c307eb90a69bb912fd341e716a0b5c582814d81dd27ba8255c27
SSDEEP

1536:LnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxq:LGs8cd8eXlYairZYqMddH13q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1920	omsecor.exe
2524	omsecor.exe
2728	omsecor.exe
3004	omsecor.exe
300	omsecor.exe
2644	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1080	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe
1080	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe
1920	omsecor.exe
2524	omsecor.exe
2524	omsecor.exe
3004	omsecor.exe
3004	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2652 set thread context of 1080	2652	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe	30
PID 1920 set thread context of 2524	1920	omsecor.exe	33
PID 2728 set thread context of 3004	2728	omsecor.exe	36
PID 300 set thread context of 2644	300	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1080	2652	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe	30
PID 2652 wrote to memory of 1080	2652	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe	30
PID 2652 wrote to memory of 1080	2652	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe	30
PID 2652 wrote to memory of 1080	2652	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe	30
PID 2652 wrote to memory of 1080	2652	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe	30
PID 2652 wrote to memory of 1080	2652	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe	30
PID 1080 wrote to memory of 1920	1080	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe	31
PID 1080 wrote to memory of 1920	1080	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe	31
PID 1080 wrote to memory of 1920	1080	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe	31
PID 1080 wrote to memory of 1920	1080	b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe	31
PID 1920 wrote to memory of 2524	1920	omsecor.exe	33
PID 1920 wrote to memory of 2524	1920	omsecor.exe	33
PID 1920 wrote to memory of 2524	1920	omsecor.exe	33
PID 1920 wrote to memory of 2524	1920	omsecor.exe	33
PID 1920 wrote to memory of 2524	1920	omsecor.exe	33
PID 1920 wrote to memory of 2524	1920	omsecor.exe	33
PID 2524 wrote to memory of 2728	2524	omsecor.exe	35
PID 2524 wrote to memory of 2728	2524	omsecor.exe	35
PID 2524 wrote to memory of 2728	2524	omsecor.exe	35
PID 2524 wrote to memory of 2728	2524	omsecor.exe	35
PID 2728 wrote to memory of 3004	2728	omsecor.exe	36
PID 2728 wrote to memory of 3004	2728	omsecor.exe	36
PID 2728 wrote to memory of 3004	2728	omsecor.exe	36
PID 2728 wrote to memory of 3004	2728	omsecor.exe	36
PID 2728 wrote to memory of 3004	2728	omsecor.exe	36
PID 2728 wrote to memory of 3004	2728	omsecor.exe	36
PID 3004 wrote to memory of 300	3004	omsecor.exe	37
PID 3004 wrote to memory of 300	3004	omsecor.exe	37
PID 3004 wrote to memory of 300	3004	omsecor.exe	37
PID 3004 wrote to memory of 300	3004	omsecor.exe	37
PID 300 wrote to memory of 2644	300	omsecor.exe	38
PID 300 wrote to memory of 2644	300	omsecor.exe	38
PID 300 wrote to memory of 2644	300	omsecor.exe	38
PID 300 wrote to memory of 2644	300	omsecor.exe	38
PID 300 wrote to memory of 2644	300	omsecor.exe	38
PID 300 wrote to memory of 2644	300	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe
"C:\Users\Admin\AppData\Local\Temp\b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe
  C:\Users\Admin\AppData\Local\Temp\b2f9a02219b4b162c31705db3ec8bb79388aca4082eaac8b43ee3118b31ce800.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b24981b44a7ce916ee50d664700b36fb

SHA1
8021be721a8e81cc93dd12b1daf5aaf2981f81ae

SHA256
5898e3aa8f9867dab01d71e51a55dc2e70de41569f9a451b14090b67448cd957

SHA512
6bf7809a09d4ea8c74d9ef6cb8b4eb6aa82dd239824a593c5a4d10608076bc6c1cdf0bf9a4043da6d23b73e3657a811fb6255ee109587ef4a8f7e81fce9f5a2b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
19f4deb336281fcad40f9d6254702811

SHA1
83881e62d497e61e764298a5a38a56bc80223b10

SHA256
a07177d8e0b53c635c384cd232f76e0391ae3d3c2664699db0959a85618d7510

SHA512
16158a126be12c4407d11402dd31b0db06f87e97831badd1a4db0975195bbdeae52e41260825b0a7dff20e82719534431d8c35276bfab1def39205ff8379e848

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
3c880f97071ab589f932dbb0bb89b5c9

SHA1
0cf70896d6bb335aec9bcba933bdd0079c38e61b

SHA256
49e52f34099a06c04f2b5119cf1ff0153e399a33ee8529313047e049f06ee734

SHA512
4bcc670abce96d308db2dbff42925e074411b0fd90c01456c485a3a8a5cd3a80add711d3bb1addf56eb48d4ab3446ce55d2a5a08f1dc57c4fe767492e77c1c12

Download Submit
memory/300-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/300-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1080-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1080-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1080-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1080-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1080-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1080-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1920-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1920-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1920-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2524-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-48-0x0000000001FD0000-0x0000000001FF3000-memory.dmp

Filesize
140KB

Download
memory/2524-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2652-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2728-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download