neconyd | 70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3ba

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
Size

96KB
MD5

175804491419924eb9cf95b29e411080
SHA1

bb1d15177426f78fb336c09714ff203915f39f46
SHA256

70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3ba
SHA512

ab3fad3131117fad88cb43d5e8c8adc741a710ed9c45a54266688f856a8b2745c461211c600291ebb257d6c58ac812f0f4eb9d7face98e4cacad1a53abd32617
SSDEEP

1536:/nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:/Gs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2308	omsecor.exe
2416	omsecor.exe
2108	omsecor.exe
2612	omsecor.exe
2668	omsecor.exe
2132	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2336	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
2336	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
2308	omsecor.exe
2416	omsecor.exe
2416	omsecor.exe
2612	omsecor.exe
2612	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2496 set thread context of 2336	2496	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	31
PID 2308 set thread context of 2416	2308	omsecor.exe	33
PID 2108 set thread context of 2612	2108	omsecor.exe	37
PID 2668 set thread context of 2132	2668	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2336	2496	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	31
PID 2496 wrote to memory of 2336	2496	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	31
PID 2496 wrote to memory of 2336	2496	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	31
PID 2496 wrote to memory of 2336	2496	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	31
PID 2496 wrote to memory of 2336	2496	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	31
PID 2496 wrote to memory of 2336	2496	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	31
PID 2336 wrote to memory of 2308	2336	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	32
PID 2336 wrote to memory of 2308	2336	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	32
PID 2336 wrote to memory of 2308	2336	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	32
PID 2336 wrote to memory of 2308	2336	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	32
PID 2308 wrote to memory of 2416	2308	omsecor.exe	33
PID 2308 wrote to memory of 2416	2308	omsecor.exe	33
PID 2308 wrote to memory of 2416	2308	omsecor.exe	33
PID 2308 wrote to memory of 2416	2308	omsecor.exe	33
PID 2308 wrote to memory of 2416	2308	omsecor.exe	33
PID 2308 wrote to memory of 2416	2308	omsecor.exe	33
PID 2416 wrote to memory of 2108	2416	omsecor.exe	36
PID 2416 wrote to memory of 2108	2416	omsecor.exe	36
PID 2416 wrote to memory of 2108	2416	omsecor.exe	36
PID 2416 wrote to memory of 2108	2416	omsecor.exe	36
PID 2108 wrote to memory of 2612	2108	omsecor.exe	37
PID 2108 wrote to memory of 2612	2108	omsecor.exe	37
PID 2108 wrote to memory of 2612	2108	omsecor.exe	37
PID 2108 wrote to memory of 2612	2108	omsecor.exe	37
PID 2108 wrote to memory of 2612	2108	omsecor.exe	37
PID 2108 wrote to memory of 2612	2108	omsecor.exe	37
PID 2612 wrote to memory of 2668	2612	omsecor.exe	38
PID 2612 wrote to memory of 2668	2612	omsecor.exe	38
PID 2612 wrote to memory of 2668	2612	omsecor.exe	38
PID 2612 wrote to memory of 2668	2612	omsecor.exe	38
PID 2668 wrote to memory of 2132	2668	omsecor.exe	39
PID 2668 wrote to memory of 2132	2668	omsecor.exe	39
PID 2668 wrote to memory of 2132	2668	omsecor.exe	39
PID 2668 wrote to memory of 2132	2668	omsecor.exe	39
PID 2668 wrote to memory of 2132	2668	omsecor.exe	39
PID 2668 wrote to memory of 2132	2668	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
"C:\Users\Admin\AppData\Local\Temp\70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
  C:\Users\Admin\AppData\Local\Temp\70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
34132ba5d6e8d957ea4f406d8a1cd8e7

SHA1
992da18f3cff8f20386a8be9c0138cd3ecdee377

SHA256
0b55c7b1fba713a2eb8587194cf772ac9953214fda65c7df533af04d7ea35c29

SHA512
5de50668cc5fa5a73a5e924f9109afb0a875b8dc1556d7a3fb6a1cc2c771fd78625ce9fba394699bac23898c1942c11c6b3edb5e718570512ba47a4c7e40bf39

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
fa2482aaefa76c0059ad8c9cbd83bbfe

SHA1
e63e415e94bb1d3a90dcbff831ae27d236994926

SHA256
526dea57b17911fa849bb3567a42cb6206435d04fcb25441128a8d0f1dc4d732

SHA512
22c8ca474b7697fe0cdba46349de115e61d6b62aeef5fa9849387bb403ea3151ba294d5810ebe638f87573e4b7a59356fcde5169c571adc2bfa24e6cf6ad7dad

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
defb381de75151afd190afdaac210f43

SHA1
d761cbcba802e9ebfb8b67efa1eeb51d31764ecf

SHA256
57fcdf4894c25952cf6eb96ab98c4afeb40df36ec990caff39afbbb7288cfd64

SHA512
39493d368b541d4344f382cd9d8a1feea607cd0a2e112437be70c2195360d43a72bfa296ff87e36ec2ba9fa356c3ac4472e223e6c84fd50525f3080e6a93cf92

Download Submit
memory/2108-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2108-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2132-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2308-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2336-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-53-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2416-52-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2416-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2496-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2668-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2668-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download