neconyd | 89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/12/2024, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe
Size

96KB
MD5

e10b3a7a7069066eed78dadc8378cde7
SHA1

537f76364cb78e9b7a5d569a0eb0c02c7b20904e
SHA256

89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25
SHA512

9c42fc40335ee2169192235f6cd1c66dc0714facd9d76baa70c4076a43147bcc3bd36c1cd0065d381162cd8452eb77bd018d12c11fff35da8bb205e2f39ccc87
SSDEEP

1536:YnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:YGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2832	omsecor.exe
2460	omsecor.exe
2092	omsecor.exe
1288	omsecor.exe
1144	omsecor.exe
2860	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3040	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe
3040	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe
2832	omsecor.exe
2460	omsecor.exe
2460	omsecor.exe
1288	omsecor.exe
1288	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2976 set thread context of 3040	2976	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe	30
PID 2832 set thread context of 2460	2832	omsecor.exe	32
PID 2092 set thread context of 1288	2092	omsecor.exe	36
PID 1144 set thread context of 2860	1144	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3040	2976	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe	30
PID 2976 wrote to memory of 3040	2976	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe	30
PID 2976 wrote to memory of 3040	2976	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe	30
PID 2976 wrote to memory of 3040	2976	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe	30
PID 2976 wrote to memory of 3040	2976	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe	30
PID 2976 wrote to memory of 3040	2976	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe	30
PID 3040 wrote to memory of 2832	3040	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe	31
PID 3040 wrote to memory of 2832	3040	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe	31
PID 3040 wrote to memory of 2832	3040	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe	31
PID 3040 wrote to memory of 2832	3040	89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe	31
PID 2832 wrote to memory of 2460	2832	omsecor.exe	32
PID 2832 wrote to memory of 2460	2832	omsecor.exe	32
PID 2832 wrote to memory of 2460	2832	omsecor.exe	32
PID 2832 wrote to memory of 2460	2832	omsecor.exe	32
PID 2832 wrote to memory of 2460	2832	omsecor.exe	32
PID 2832 wrote to memory of 2460	2832	omsecor.exe	32
PID 2460 wrote to memory of 2092	2460	omsecor.exe	35
PID 2460 wrote to memory of 2092	2460	omsecor.exe	35
PID 2460 wrote to memory of 2092	2460	omsecor.exe	35
PID 2460 wrote to memory of 2092	2460	omsecor.exe	35
PID 2092 wrote to memory of 1288	2092	omsecor.exe	36
PID 2092 wrote to memory of 1288	2092	omsecor.exe	36
PID 2092 wrote to memory of 1288	2092	omsecor.exe	36
PID 2092 wrote to memory of 1288	2092	omsecor.exe	36
PID 2092 wrote to memory of 1288	2092	omsecor.exe	36
PID 2092 wrote to memory of 1288	2092	omsecor.exe	36
PID 1288 wrote to memory of 1144	1288	omsecor.exe	37
PID 1288 wrote to memory of 1144	1288	omsecor.exe	37
PID 1288 wrote to memory of 1144	1288	omsecor.exe	37
PID 1288 wrote to memory of 1144	1288	omsecor.exe	37
PID 1144 wrote to memory of 2860	1144	omsecor.exe	38
PID 1144 wrote to memory of 2860	1144	omsecor.exe	38
PID 1144 wrote to memory of 2860	1144	omsecor.exe	38
PID 1144 wrote to memory of 2860	1144	omsecor.exe	38
PID 1144 wrote to memory of 2860	1144	omsecor.exe	38
PID 1144 wrote to memory of 2860	1144	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe
"C:\Users\Admin\AppData\Local\Temp\89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe
  C:\Users\Admin\AppData\Local\Temp\89f0584fdc33316bf1c0e9942879ba5100a533de1809d36ef35e7b964e370b25.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f7b60f870ab2b98757a7117f5e9e0907

SHA1
0dc739014e9211899dc3f25a45376d3cdd48cc2a

SHA256
d6b82630dd26fc3b9e4635a8be2f5c8d9750918b2b36bdb7880bef9d15e9bc8d

SHA512
e4ec2b47de1c26e48d1def6a4243eeb1d5162b8a4f480546cb7d9169034bc917b7ac563cf5e4083a3a061af403387d5914178a110df04dedf5790b6d27401691

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9ae7a66c72a4e951e218a9cb633935a2

SHA1
b78aa8282064b037adf8e327a984d8ba39b6c962

SHA256
2acc161e874e963410fae6c1742cf30b0a304ad24a1eb7f60aca8e0207db35d3

SHA512
9a9280d66a94340d53c0664027b9f1a38defa83631ef98fdf16ea6625067252e85f60618f52b01407679409eda0769dd764d5a228a539c08678cc43ccd41fcea

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
370cde29d17592e0eb26ae97edc1e457

SHA1
2b00d8827df0deeba4b0477c1670ddd638ab8088

SHA256
c089018a007239df6c2f700e5db74f0ce9c30dd5279591f5f41400a54c13d58f

SHA512
85f708e11cb97e563d80bc7a05a63e811cea340aa9ad4a18b9af516462a6166a96c4feb34b8d9ca8fc0b631d08406d3c08e74f082ba9994f34176cc58ea4e712

Download Submit
memory/1144-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1144-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2092-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2092-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2460-54-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2460-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-52-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2460-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2832-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2860-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2860-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2976-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3040-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3040-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3040-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3040-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download