neconyd | 15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d

Analysis

max time kernel
116s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
Size

134KB
MD5

eb3d3b17e41c40cbae73072b9d9a1a7d
SHA1

7c0feef921da8f9d08a476d64afcd55a4bf02726
SHA256

15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d
SHA512

0820ee2bfb04115354be88347bb000ab4d97d65551a64d04f62740d841e663506cb40f4e6eeb1b76ad1650c64d2f1a7d63fc8618083fcdccd725fe4096e293b7
SSDEEP

1536:8DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi1:iiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3064	omsecor.exe
2536	omsecor.exe
1764	omsecor.exe
1616	omsecor.exe
316	omsecor.exe
2928	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2144	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
2144	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
3064	omsecor.exe
2536	omsecor.exe
2536	omsecor.exe
1616	omsecor.exe
1616	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 2144	1628	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	30
PID 3064 set thread context of 2536	3064	omsecor.exe	32
PID 1764 set thread context of 1616	1764	omsecor.exe	36
PID 316 set thread context of 2928	316	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2144	1628	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	30
PID 1628 wrote to memory of 2144	1628	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	30
PID 1628 wrote to memory of 2144	1628	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	30
PID 1628 wrote to memory of 2144	1628	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	30
PID 1628 wrote to memory of 2144	1628	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	30
PID 1628 wrote to memory of 2144	1628	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	30
PID 2144 wrote to memory of 3064	2144	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	31
PID 2144 wrote to memory of 3064	2144	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	31
PID 2144 wrote to memory of 3064	2144	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	31
PID 2144 wrote to memory of 3064	2144	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	31
PID 3064 wrote to memory of 2536	3064	omsecor.exe	32
PID 3064 wrote to memory of 2536	3064	omsecor.exe	32
PID 3064 wrote to memory of 2536	3064	omsecor.exe	32
PID 3064 wrote to memory of 2536	3064	omsecor.exe	32
PID 3064 wrote to memory of 2536	3064	omsecor.exe	32
PID 3064 wrote to memory of 2536	3064	omsecor.exe	32
PID 2536 wrote to memory of 1764	2536	omsecor.exe	35
PID 2536 wrote to memory of 1764	2536	omsecor.exe	35
PID 2536 wrote to memory of 1764	2536	omsecor.exe	35
PID 2536 wrote to memory of 1764	2536	omsecor.exe	35
PID 1764 wrote to memory of 1616	1764	omsecor.exe	36
PID 1764 wrote to memory of 1616	1764	omsecor.exe	36
PID 1764 wrote to memory of 1616	1764	omsecor.exe	36
PID 1764 wrote to memory of 1616	1764	omsecor.exe	36
PID 1764 wrote to memory of 1616	1764	omsecor.exe	36
PID 1764 wrote to memory of 1616	1764	omsecor.exe	36
PID 1616 wrote to memory of 316	1616	omsecor.exe	37
PID 1616 wrote to memory of 316	1616	omsecor.exe	37
PID 1616 wrote to memory of 316	1616	omsecor.exe	37
PID 1616 wrote to memory of 316	1616	omsecor.exe	37
PID 316 wrote to memory of 2928	316	omsecor.exe	38
PID 316 wrote to memory of 2928	316	omsecor.exe	38
PID 316 wrote to memory of 2928	316	omsecor.exe	38
PID 316 wrote to memory of 2928	316	omsecor.exe	38
PID 316 wrote to memory of 2928	316	omsecor.exe	38
PID 316 wrote to memory of 2928	316	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
"C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
  C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d8dc678a990a8c9c9cda88f0c85cbe7f

SHA1
0b040a20c5fe18ab9cf556c55aaeafe57caf7464

SHA256
249d43173536b014132143ab2662a6ce14272b622d62e1d120f3878c70464002

SHA512
d5c179a2c8399e6362f50390eca0473dcf6ccdc12011a37eaa05f8cdd5bd4694f39a27734e1ce6b5a34a8abb845f333f876eab96b26a333f8a5a8dfd49c2b596

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
c61c7c8fa19969d4137db45388d08e1e

SHA1
21d5065a73f4d8710adc75ad0c8744f91547e2c8

SHA256
9536f6ed18e8de2560a4b05ffcddc867eefc0cd075b5656a9c1eb37b8f8399d0

SHA512
80ae67c6324fb58ce35476bc91e7e9a4c15328b66c387526aea54bc0de93fa2252c7b3ded3c9a24bbee952fe823fac4f6e0f84023771a6c35517d156f00609cf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
e06bf89b82b03575eed46e5728ef4f4e

SHA1
cb63482eb7aaffe11c21ae0ce7ca685f95fea526

SHA256
9f8ea806b1b43932565869e564a8a9169661ee93edc8348418329d6b0450d38e

SHA512
0b215d27b2b2612636706e82a7b1062515e699862179d73c3671e09387c8dd5a463dea40dedad63cbc6c38bc3ce9bf5b0bf10065eaf5a4c5fc94dbb0fb0c5c7d

Download Submit
memory/316-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/316-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1616-68-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1628-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1628-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1764-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2144-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2144-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-46-0x00000000002A0000-0x00000000002C4000-memory.dmp

Filesize
144KB

Download
memory/2536-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-33-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/3064-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3064-28-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/3064-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download