neconyd | 5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe
Size

96KB
MD5

b68f49ecd7ced38a0036962cdefc7370
SHA1

2506566a81706d4432705bb7ea662bb4bc5b66cb
SHA256

5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825
SHA512

5a712b5a0b1782a95ef26d206872a3f27f5f1fea9f1939284e834fcceb55175d32350059d630d59ca19ce8e9164419a9930c60f5b9b02c58ae753ee216398ba7
SSDEEP

1536:snAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:sGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2776	omsecor.exe
2672	omsecor.exe
1920	omsecor.exe
1904	omsecor.exe
2156	omsecor.exe
2952	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2236	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe
2236	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe
2776	omsecor.exe
2672	omsecor.exe
2672	omsecor.exe
1904	omsecor.exe
1904	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 2236	2364	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe	30
PID 2776 set thread context of 2672	2776	omsecor.exe	32
PID 1920 set thread context of 1904	1920	omsecor.exe	36
PID 2156 set thread context of 2952	2156	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2236	2364	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe	30
PID 2364 wrote to memory of 2236	2364	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe	30
PID 2364 wrote to memory of 2236	2364	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe	30
PID 2364 wrote to memory of 2236	2364	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe	30
PID 2364 wrote to memory of 2236	2364	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe	30
PID 2364 wrote to memory of 2236	2364	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe	30
PID 2236 wrote to memory of 2776	2236	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe	31
PID 2236 wrote to memory of 2776	2236	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe	31
PID 2236 wrote to memory of 2776	2236	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe	31
PID 2236 wrote to memory of 2776	2236	5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe	31
PID 2776 wrote to memory of 2672	2776	omsecor.exe	32
PID 2776 wrote to memory of 2672	2776	omsecor.exe	32
PID 2776 wrote to memory of 2672	2776	omsecor.exe	32
PID 2776 wrote to memory of 2672	2776	omsecor.exe	32
PID 2776 wrote to memory of 2672	2776	omsecor.exe	32
PID 2776 wrote to memory of 2672	2776	omsecor.exe	32
PID 2672 wrote to memory of 1920	2672	omsecor.exe	35
PID 2672 wrote to memory of 1920	2672	omsecor.exe	35
PID 2672 wrote to memory of 1920	2672	omsecor.exe	35
PID 2672 wrote to memory of 1920	2672	omsecor.exe	35
PID 1920 wrote to memory of 1904	1920	omsecor.exe	36
PID 1920 wrote to memory of 1904	1920	omsecor.exe	36
PID 1920 wrote to memory of 1904	1920	omsecor.exe	36
PID 1920 wrote to memory of 1904	1920	omsecor.exe	36
PID 1920 wrote to memory of 1904	1920	omsecor.exe	36
PID 1920 wrote to memory of 1904	1920	omsecor.exe	36
PID 1904 wrote to memory of 2156	1904	omsecor.exe	37
PID 1904 wrote to memory of 2156	1904	omsecor.exe	37
PID 1904 wrote to memory of 2156	1904	omsecor.exe	37
PID 1904 wrote to memory of 2156	1904	omsecor.exe	37
PID 2156 wrote to memory of 2952	2156	omsecor.exe	38
PID 2156 wrote to memory of 2952	2156	omsecor.exe	38
PID 2156 wrote to memory of 2952	2156	omsecor.exe	38
PID 2156 wrote to memory of 2952	2156	omsecor.exe	38
PID 2156 wrote to memory of 2952	2156	omsecor.exe	38
PID 2156 wrote to memory of 2952	2156	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe
"C:\Users\Admin\AppData\Local\Temp\5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe
  C:\Users\Admin\AppData\Local\Temp\5f21c755308d6f97c3e2c728919674b97e1a8aa1bdc1ac7cbff65f84833cd825N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
907a8dc35445936cd31d0f26eba9481f

SHA1
8af3dc64ea78d61d71b8eea3e3cb575d4edf37d4

SHA256
52b79c15a7f78ce008fd55daec1bc55cf6210ec3c349fff6f780d12a233e7150

SHA512
69e8c117258bceee4813454a973608ffdd76d1b05585382163b3455bb8ced111c6724d8e8130660ba4a2e0e699e5da260149c8acc7f5becbea08ee4860d75e99

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
34d5d714ae416850d9dc2d3bf7e55f2f

SHA1
526bc706da8ad3e69dd83a136201b891ad86682a

SHA256
0b30673f5389cce4c0dd461e295c41c22f59a034edb1e35ea047d3a76d93f1fd

SHA512
650f3a748f43b122d390ce3e128bb80ce50407d6892f0ae82f3eff78bb7b3c5276a2538569f1a420568c808f1d93c9eb141a9d14a6a820e9ed1fdccde0f6a092

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
414f84ca3a8fe69ac833b63c7e264373

SHA1
950497dcc30b58c199c6ed6a35d87a1c12bc6079

SHA256
4bcdd0dea40d020e8c047a5f4f7d7f2d8f7dddc8eb7b1df82b1e7d5a0eda844f

SHA512
4f18eef7b9b1e22c0784091ac28336a63adf9ccf1424c5dfdb52cd864e27ca1f5c2a107c9c5961af90f46c1be5278bbf6e8f9bb3223e8af73100a1337ef3cfa2

Download Submit
memory/1904-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1920-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1920-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2156-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2236-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2236-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2364-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2672-54-0x0000000002240000-0x0000000002263000-memory.dmp

Filesize
140KB

Download
memory/2672-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-48-0x0000000002240000-0x0000000002263000-memory.dmp

Filesize
140KB

Download
memory/2672-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2776-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2776-24-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2776-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download