neconyd | 15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
Size

134KB
MD5

eb3d3b17e41c40cbae73072b9d9a1a7d
SHA1

7c0feef921da8f9d08a476d64afcd55a4bf02726
SHA256

15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d
SHA512

0820ee2bfb04115354be88347bb000ab4d97d65551a64d04f62740d841e663506cb40f4e6eeb1b76ad1650c64d2f1a7d63fc8618083fcdccd725fe4096e293b7
SSDEEP

1536:8DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi1:iiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2516	omsecor.exe
2652	omsecor.exe
1164	omsecor.exe
768	omsecor.exe
2412	omsecor.exe
2076	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1732	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
1732	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
2516	omsecor.exe
2652	omsecor.exe
2652	omsecor.exe
768	omsecor.exe
768	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1916 set thread context of 1732	1916	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	31
PID 2516 set thread context of 2652	2516	omsecor.exe	33
PID 1164 set thread context of 768	1164	omsecor.exe	37
PID 2412 set thread context of 2076	2412	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1732	1916	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	31
PID 1916 wrote to memory of 1732	1916	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	31
PID 1916 wrote to memory of 1732	1916	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	31
PID 1916 wrote to memory of 1732	1916	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	31
PID 1916 wrote to memory of 1732	1916	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	31
PID 1916 wrote to memory of 1732	1916	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	31
PID 1732 wrote to memory of 2516	1732	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	32
PID 1732 wrote to memory of 2516	1732	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	32
PID 1732 wrote to memory of 2516	1732	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	32
PID 1732 wrote to memory of 2516	1732	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	32
PID 2516 wrote to memory of 2652	2516	omsecor.exe	33
PID 2516 wrote to memory of 2652	2516	omsecor.exe	33
PID 2516 wrote to memory of 2652	2516	omsecor.exe	33
PID 2516 wrote to memory of 2652	2516	omsecor.exe	33
PID 2516 wrote to memory of 2652	2516	omsecor.exe	33
PID 2516 wrote to memory of 2652	2516	omsecor.exe	33
PID 2652 wrote to memory of 1164	2652	omsecor.exe	36
PID 2652 wrote to memory of 1164	2652	omsecor.exe	36
PID 2652 wrote to memory of 1164	2652	omsecor.exe	36
PID 2652 wrote to memory of 1164	2652	omsecor.exe	36
PID 1164 wrote to memory of 768	1164	omsecor.exe	37
PID 1164 wrote to memory of 768	1164	omsecor.exe	37
PID 1164 wrote to memory of 768	1164	omsecor.exe	37
PID 1164 wrote to memory of 768	1164	omsecor.exe	37
PID 1164 wrote to memory of 768	1164	omsecor.exe	37
PID 1164 wrote to memory of 768	1164	omsecor.exe	37
PID 768 wrote to memory of 2412	768	omsecor.exe	38
PID 768 wrote to memory of 2412	768	omsecor.exe	38
PID 768 wrote to memory of 2412	768	omsecor.exe	38
PID 768 wrote to memory of 2412	768	omsecor.exe	38
PID 2412 wrote to memory of 2076	2412	omsecor.exe	39
PID 2412 wrote to memory of 2076	2412	omsecor.exe	39
PID 2412 wrote to memory of 2076	2412	omsecor.exe	39
PID 2412 wrote to memory of 2076	2412	omsecor.exe	39
PID 2412 wrote to memory of 2076	2412	omsecor.exe	39
PID 2412 wrote to memory of 2076	2412	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
"C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
  C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
136cd8faceceb7aa54badd9208cb25ad

SHA1
31ca5e20cf06e6d70010f1d67eeeb6d79004f677

SHA256
5c3c3879e69389476a05e96b8849c8b3359bd38b25362faa2f1de27daa531b22

SHA512
8f34c1454975b2f02d71fdc7a0404da843b69c6136e4d27d178f345ca95c407525e5f4ea595947a21d376e72b419e6e967d67b19a85d46ef4445ef348965e8d5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d8dc678a990a8c9c9cda88f0c85cbe7f

SHA1
0b040a20c5fe18ab9cf556c55aaeafe57caf7464

SHA256
249d43173536b014132143ab2662a6ce14272b622d62e1d120f3878c70464002

SHA512
d5c179a2c8399e6362f50390eca0473dcf6ccdc12011a37eaa05f8cdd5bd4694f39a27734e1ce6b5a34a8abb845f333f876eab96b26a333f8a5a8dfd49c2b596

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
f272d172525b6210af8b36fd043a0a9c

SHA1
7cbbe8a1df05145152915f7eba5662875a194967

SHA256
111083feff11af79fc252e07290d5500778997bf8eca26d6de00d8437c78a302

SHA512
bc960593a26e34629fdae4beb15e895fcb3e3c4cf46ca1d848011d65081741e3a3fd3189dc26c51029e29cebef7aef1b927946439c7d77f985791a626ddd7238

Download Submit
memory/768-71-0x0000000000270000-0x0000000000294000-memory.dmp

Filesize
144KB

Download
memory/1164-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1164-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1732-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1732-18-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/1732-20-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/1732-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1916-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1916-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1916-34-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/2076-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2412-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2516-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2516-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2652-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-54-0x0000000000320000-0x0000000000344000-memory.dmp

Filesize
144KB

Download
memory/2652-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-47-0x0000000000320000-0x0000000000344000-memory.dmp

Filesize
144KB

Download
memory/2652-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download