neconyd | 1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7

Analysis

max time kernel
120s
max time network
114s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
Size

96KB
MD5

b67bf83c78ed65549a8d17207df21650
SHA1

2555a01e772fd1f349128cf6e3daf275792885c7
SHA256

1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7
SHA512

2664132b45f60357d2bd93689caf16c2123af1b86683228f08cf249ea8f82d774b8a2c94785cf37fb811de51265195c1ed358444f61ab29441246787c77a1006
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:QGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2480	omsecor.exe
2932	omsecor.exe
1580	omsecor.exe
2364	omsecor.exe
2072	omsecor.exe
2800	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1888	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
1888	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
2480	omsecor.exe
2932	omsecor.exe
2932	omsecor.exe
2364	omsecor.exe
2364	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 1888	2336	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	30
PID 2480 set thread context of 2932	2480	omsecor.exe	32
PID 1580 set thread context of 2364	1580	omsecor.exe	36
PID 2072 set thread context of 2800	2072	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1888	2336	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	30
PID 2336 wrote to memory of 1888	2336	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	30
PID 2336 wrote to memory of 1888	2336	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	30
PID 2336 wrote to memory of 1888	2336	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	30
PID 2336 wrote to memory of 1888	2336	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	30
PID 2336 wrote to memory of 1888	2336	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	30
PID 1888 wrote to memory of 2480	1888	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	31
PID 1888 wrote to memory of 2480	1888	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	31
PID 1888 wrote to memory of 2480	1888	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	31
PID 1888 wrote to memory of 2480	1888	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	31
PID 2480 wrote to memory of 2932	2480	omsecor.exe	32
PID 2480 wrote to memory of 2932	2480	omsecor.exe	32
PID 2480 wrote to memory of 2932	2480	omsecor.exe	32
PID 2480 wrote to memory of 2932	2480	omsecor.exe	32
PID 2480 wrote to memory of 2932	2480	omsecor.exe	32
PID 2480 wrote to memory of 2932	2480	omsecor.exe	32
PID 2932 wrote to memory of 1580	2932	omsecor.exe	35
PID 2932 wrote to memory of 1580	2932	omsecor.exe	35
PID 2932 wrote to memory of 1580	2932	omsecor.exe	35
PID 2932 wrote to memory of 1580	2932	omsecor.exe	35
PID 1580 wrote to memory of 2364	1580	omsecor.exe	36
PID 1580 wrote to memory of 2364	1580	omsecor.exe	36
PID 1580 wrote to memory of 2364	1580	omsecor.exe	36
PID 1580 wrote to memory of 2364	1580	omsecor.exe	36
PID 1580 wrote to memory of 2364	1580	omsecor.exe	36
PID 1580 wrote to memory of 2364	1580	omsecor.exe	36
PID 2364 wrote to memory of 2072	2364	omsecor.exe	37
PID 2364 wrote to memory of 2072	2364	omsecor.exe	37
PID 2364 wrote to memory of 2072	2364	omsecor.exe	37
PID 2364 wrote to memory of 2072	2364	omsecor.exe	37
PID 2072 wrote to memory of 2800	2072	omsecor.exe	38
PID 2072 wrote to memory of 2800	2072	omsecor.exe	38
PID 2072 wrote to memory of 2800	2072	omsecor.exe	38
PID 2072 wrote to memory of 2800	2072	omsecor.exe	38
PID 2072 wrote to memory of 2800	2072	omsecor.exe	38
PID 2072 wrote to memory of 2800	2072	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
"C:\Users\Admin\AppData\Local\Temp\1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
  C:\Users\Admin\AppData\Local\Temp\1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b19a446c42de54a24fa45c77f6e4ee7e

SHA1
2e83e343feee767331777ff4cfc886c0a23e6572

SHA256
0a47fad86b36ecbabd313364dd6362980876513ab1a33fb3fd09a360287e0fc3

SHA512
0f34b001797243ee88c29f3206ae4a472465374614e4f29132014324a0a4d41f2bb7041aabacd5ab4778b7fcd44754a841ff78b2174257a293e1d594273fb419

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
dec22baa50cee1da4c1626dc86950692

SHA1
d1eeb6e8cd20a1f6091eab555a2b16164cd25503

SHA256
1b2334a8d60b5651077454caad68d43ba97c13b6d1e5bc6cdf89cd94584dcc5d

SHA512
860ffef80de42c4aadf1d4fab347b6adb949927e67782d706934b2a6d06ed2751d57a6c2d346af844f9eb10da78a1592804aaaa0426c89d039a4b3a323b87b2e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
5d13abdf51603de5beb1faa3160d2297

SHA1
ce38faee10138d9d8591293affddd37ba139ac56

SHA256
0c5c1ff6bfd1a84caa021c6bd3439cff2848edc5942f635ef20a145939d8630d

SHA512
c8805bff9c0e049bdcc3ce037b01105fc24d358ddb8ee5d73de0161b3874633143801dc48406d38d8d0a4ff9fe06a5661afc04319dbea4fbb445810f5267cfc2

Download Submit
memory/1580-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1888-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1888-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1888-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1888-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1888-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2072-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-1-0x0000000000260000-0x0000000000283000-memory.dmp

Filesize
140KB

Download
memory/2336-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2364-71-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2364-90-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2480-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2480-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2800-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-48-0x00000000004E0000-0x0000000000503000-memory.dmp

Filesize
140KB

Download
memory/2932-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download