neconyd | 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/12/2024, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
Size

96KB
MD5

6a80607d407893f9d45f48c152454f10
SHA1

977bc4c2f53cd5009d7945a1aaefd40109cf4cdc
SHA256

15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29
SHA512

3c7f553b0037820a70dacfeb6b1f33dea8db544e65b98b61bd94cf116bba90fc150563458795fe99440aeeb61d8f8bca8291de215d94c429f534ae24c6ea2029
SSDEEP

1536:DnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:DGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2720	omsecor.exe
840	omsecor.exe
588	omsecor.exe
2028	omsecor.exe
2376	omsecor.exe
1876	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2668	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
2668	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
2720	omsecor.exe
840	omsecor.exe
840	omsecor.exe
2028	omsecor.exe
2028	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2668	2700	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	30
PID 2720 set thread context of 840	2720	omsecor.exe	32
PID 588 set thread context of 2028	588	omsecor.exe	35
PID 2376 set thread context of 1876	2376	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2668	2700	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	30
PID 2700 wrote to memory of 2668	2700	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	30
PID 2700 wrote to memory of 2668	2700	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	30
PID 2700 wrote to memory of 2668	2700	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	30
PID 2700 wrote to memory of 2668	2700	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	30
PID 2700 wrote to memory of 2668	2700	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	30
PID 2668 wrote to memory of 2720	2668	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	31
PID 2668 wrote to memory of 2720	2668	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	31
PID 2668 wrote to memory of 2720	2668	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	31
PID 2668 wrote to memory of 2720	2668	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	31
PID 2720 wrote to memory of 840	2720	omsecor.exe	32
PID 2720 wrote to memory of 840	2720	omsecor.exe	32
PID 2720 wrote to memory of 840	2720	omsecor.exe	32
PID 2720 wrote to memory of 840	2720	omsecor.exe	32
PID 2720 wrote to memory of 840	2720	omsecor.exe	32
PID 2720 wrote to memory of 840	2720	omsecor.exe	32
PID 840 wrote to memory of 588	840	omsecor.exe	34
PID 840 wrote to memory of 588	840	omsecor.exe	34
PID 840 wrote to memory of 588	840	omsecor.exe	34
PID 840 wrote to memory of 588	840	omsecor.exe	34
PID 588 wrote to memory of 2028	588	omsecor.exe	35
PID 588 wrote to memory of 2028	588	omsecor.exe	35
PID 588 wrote to memory of 2028	588	omsecor.exe	35
PID 588 wrote to memory of 2028	588	omsecor.exe	35
PID 588 wrote to memory of 2028	588	omsecor.exe	35
PID 588 wrote to memory of 2028	588	omsecor.exe	35
PID 2028 wrote to memory of 2376	2028	omsecor.exe	36
PID 2028 wrote to memory of 2376	2028	omsecor.exe	36
PID 2028 wrote to memory of 2376	2028	omsecor.exe	36
PID 2028 wrote to memory of 2376	2028	omsecor.exe	36
PID 2376 wrote to memory of 1876	2376	omsecor.exe	37
PID 2376 wrote to memory of 1876	2376	omsecor.exe	37
PID 2376 wrote to memory of 1876	2376	omsecor.exe	37
PID 2376 wrote to memory of 1876	2376	omsecor.exe	37
PID 2376 wrote to memory of 1876	2376	omsecor.exe	37
PID 2376 wrote to memory of 1876	2376	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
"C:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
  C:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:588
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
198c00fc46538ca3f409fd37368211a6

SHA1
d565e298687d7a4a9468082beeccba2779cc8f7e

SHA256
e42df9a6c8cb6082776f191859b485ca31ef2e24170376f92bdf2f0fd8ea0c5e

SHA512
30b156b5aebee9b9a26656f0b4026ce8071493874d7f40e1423c4ca5b0c86e4152af2658131411a871af1f9615a842a0b636bb359625be0fd600faa20dc33d0e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3484eff81a3fc078221d9f56526d3f79

SHA1
81765fcac7719beba61c65deca4a3b221223e8e2

SHA256
17d67155a203f9e4e0fea65bd5455e5cd8420d77452ae4962c646e6c64a9360a

SHA512
36d60fb3604240663caa57b99f9f476f9ca1e4b6aff595e50bac0712720dd57ef647b3811d816593acb262de7665d809908c0053df466f60161fb9b85f1a4309

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d4ee9876f640c7a95cefa92eb56d26e3

SHA1
b66266b87f5a343d26f06ec575a0ff5d91227f36

SHA256
8560b9b2dd5d989be18a4152d3b844e440f5571386920c1ba5148cdf748ca1cc

SHA512
f3f724e53670c2ac9637589115a8633fcbb8e4895fe33327c925fa4626153e9c0812edfced7b4027605730af2f983d544801f870e05b35342c6a31a10515409d

Download Submit
memory/588-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/588-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/840-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/840-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/840-48-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/840-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/840-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/840-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1876-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2376-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2668-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2668-14-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/2668-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2700-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2700-35-0x00000000001F0000-0x0000000000213000-memory.dmp

Filesize
140KB

Download
memory/2700-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2720-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2720-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download