neconyd | 07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe
Size

96KB
MD5

a330bd3ac7399c97c8f0853c3d7f0570
SHA1

513758fdc74147414ffc9f2a883967284e071b82
SHA256

07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428f
SHA512

ab784c6b140f313b9a6c7ea93eea4ce4dcc45c0ede881422e39809fd7a36e27b0f2a3d8ea4c30c9cc2e1eb2fcfbee442bf480e0692c0103405e195ea0903859e
SSDEEP

1536:XnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:XGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2208	omsecor.exe
276	omsecor.exe
1476	omsecor.exe
1760	omsecor.exe
2172	omsecor.exe
684	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1256	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe
1256	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe
2208	omsecor.exe
276	omsecor.exe
276	omsecor.exe
1760	omsecor.exe
1760	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 1256	1708	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe	31
PID 2208 set thread context of 276	2208	omsecor.exe	33
PID 1476 set thread context of 1760	1476	omsecor.exe	37
PID 2172 set thread context of 684	2172	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1256	1708	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe	31
PID 1708 wrote to memory of 1256	1708	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe	31
PID 1708 wrote to memory of 1256	1708	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe	31
PID 1708 wrote to memory of 1256	1708	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe	31
PID 1708 wrote to memory of 1256	1708	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe	31
PID 1708 wrote to memory of 1256	1708	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe	31
PID 1256 wrote to memory of 2208	1256	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe	32
PID 1256 wrote to memory of 2208	1256	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe	32
PID 1256 wrote to memory of 2208	1256	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe	32
PID 1256 wrote to memory of 2208	1256	07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe	32
PID 2208 wrote to memory of 276	2208	omsecor.exe	33
PID 2208 wrote to memory of 276	2208	omsecor.exe	33
PID 2208 wrote to memory of 276	2208	omsecor.exe	33
PID 2208 wrote to memory of 276	2208	omsecor.exe	33
PID 2208 wrote to memory of 276	2208	omsecor.exe	33
PID 2208 wrote to memory of 276	2208	omsecor.exe	33
PID 276 wrote to memory of 1476	276	omsecor.exe	36
PID 276 wrote to memory of 1476	276	omsecor.exe	36
PID 276 wrote to memory of 1476	276	omsecor.exe	36
PID 276 wrote to memory of 1476	276	omsecor.exe	36
PID 1476 wrote to memory of 1760	1476	omsecor.exe	37
PID 1476 wrote to memory of 1760	1476	omsecor.exe	37
PID 1476 wrote to memory of 1760	1476	omsecor.exe	37
PID 1476 wrote to memory of 1760	1476	omsecor.exe	37
PID 1476 wrote to memory of 1760	1476	omsecor.exe	37
PID 1476 wrote to memory of 1760	1476	omsecor.exe	37
PID 1760 wrote to memory of 2172	1760	omsecor.exe	38
PID 1760 wrote to memory of 2172	1760	omsecor.exe	38
PID 1760 wrote to memory of 2172	1760	omsecor.exe	38
PID 1760 wrote to memory of 2172	1760	omsecor.exe	38
PID 2172 wrote to memory of 684	2172	omsecor.exe	39
PID 2172 wrote to memory of 684	2172	omsecor.exe	39
PID 2172 wrote to memory of 684	2172	omsecor.exe	39
PID 2172 wrote to memory of 684	2172	omsecor.exe	39
PID 2172 wrote to memory of 684	2172	omsecor.exe	39
PID 2172 wrote to memory of 684	2172	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe
"C:\Users\Admin\AppData\Local\Temp\07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe
  C:\Users\Admin\AppData\Local\Temp\07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:276
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1476
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
709f9640cde5fea9296f4496745f3ab4

SHA1
60b0afe8624cd1d885f1d996c86bdd01d4365b0a

SHA256
15e37e5875c669e29fae517ea6d653e86f8a5ec2514b0f6cc4e9925859fcd9b5

SHA512
98470bd948d42652ac1c44c4be865da3e9374c59d7fe742f2054e794c61fbb29dc95da21a2861b9f950beb00ea88bc2d34c88b99912b2c95e5680fa61c69f314

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d03cba3854f5c326b59966d761f61389

SHA1
371b9aedfa35000b96e8ccb11150fadd983b91bd

SHA256
90714b147ba727bf028cc7bf4383f4091d6b54eeb79056e17d99980620fb22d9

SHA512
218484e93321e691fb5eab7bc22c37f0d642b2db629a04bb8b67baf40e52c056cc36e2caacaedb54d3310f453c3cb8ca6f4fb683a2816e5bbfa54879eb497c5d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
70e4fadf9b3455401eb24f9fa00d406e

SHA1
fe12303819043fce868f30a82ab2b328b6f2beb3

SHA256
b4cf10f10fa11ec561882c1befe80d6d95812a8f16b3f2660d27fa4880b78b6b

SHA512
53ccda02d5e07b0116aede8119389f48e5c94c37a96280e4c742bf459a7b63711174af0c0cfaba2244de0ddd32776a6a343f3d73f4d04cc56a314664fbd1c47a

Download Submit
memory/276-54-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/276-53-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/276-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/276-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/276-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/276-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/276-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/684-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1256-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1256-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1256-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1256-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1256-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1476-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1476-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1708-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1708-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2172-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2172-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2208-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2208-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2208-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download