neconyd | d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe
Size

134KB
MD5

e6c8b2ebde224a97b946084aa466a5a0
SHA1

08540d457b47b3971d99f91e08070a5838c71d0b
SHA256

d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7
SHA512

8e2b539db918ffc9d19c0032d190413b013842475183749a273212f85cf9316ae65608437ba0fae35e0a256450e0b4d892cf2d02d6d598f4a31ced262762598e
SSDEEP

1536:PDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:7iRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2068	omsecor.exe
2292	omsecor.exe
2904	omsecor.exe
2804	omsecor.exe
1444	omsecor.exe
2328	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1348	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe
1348	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe
2068	omsecor.exe
2292	omsecor.exe
2292	omsecor.exe
2804	omsecor.exe
2804	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1820 set thread context of 1348	1820	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe	30
PID 2068 set thread context of 2292	2068	omsecor.exe	32
PID 2904 set thread context of 2804	2904	omsecor.exe	36
PID 1444 set thread context of 2328	1444	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1348	1820	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe	30
PID 1820 wrote to memory of 1348	1820	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe	30
PID 1820 wrote to memory of 1348	1820	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe	30
PID 1820 wrote to memory of 1348	1820	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe	30
PID 1820 wrote to memory of 1348	1820	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe	30
PID 1820 wrote to memory of 1348	1820	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe	30
PID 1348 wrote to memory of 2068	1348	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe	31
PID 1348 wrote to memory of 2068	1348	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe	31
PID 1348 wrote to memory of 2068	1348	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe	31
PID 1348 wrote to memory of 2068	1348	d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe	31
PID 2068 wrote to memory of 2292	2068	omsecor.exe	32
PID 2068 wrote to memory of 2292	2068	omsecor.exe	32
PID 2068 wrote to memory of 2292	2068	omsecor.exe	32
PID 2068 wrote to memory of 2292	2068	omsecor.exe	32
PID 2068 wrote to memory of 2292	2068	omsecor.exe	32
PID 2068 wrote to memory of 2292	2068	omsecor.exe	32
PID 2292 wrote to memory of 2904	2292	omsecor.exe	35
PID 2292 wrote to memory of 2904	2292	omsecor.exe	35
PID 2292 wrote to memory of 2904	2292	omsecor.exe	35
PID 2292 wrote to memory of 2904	2292	omsecor.exe	35
PID 2904 wrote to memory of 2804	2904	omsecor.exe	36
PID 2904 wrote to memory of 2804	2904	omsecor.exe	36
PID 2904 wrote to memory of 2804	2904	omsecor.exe	36
PID 2904 wrote to memory of 2804	2904	omsecor.exe	36
PID 2904 wrote to memory of 2804	2904	omsecor.exe	36
PID 2904 wrote to memory of 2804	2904	omsecor.exe	36
PID 2804 wrote to memory of 1444	2804	omsecor.exe	37
PID 2804 wrote to memory of 1444	2804	omsecor.exe	37
PID 2804 wrote to memory of 1444	2804	omsecor.exe	37
PID 2804 wrote to memory of 1444	2804	omsecor.exe	37
PID 1444 wrote to memory of 2328	1444	omsecor.exe	38
PID 1444 wrote to memory of 2328	1444	omsecor.exe	38
PID 1444 wrote to memory of 2328	1444	omsecor.exe	38
PID 1444 wrote to memory of 2328	1444	omsecor.exe	38
PID 1444 wrote to memory of 2328	1444	omsecor.exe	38
PID 1444 wrote to memory of 2328	1444	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe
"C:\Users\Admin\AppData\Local\Temp\d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe
  C:\Users\Admin\AppData\Local\Temp\d7a34071cf9f2ea779befb789917ee38e56db1b14d3ec0faa8a013c87fbd38e7N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
cbd52831c31bd135a9a8bb3870d95324

SHA1
c7e121c72585efa95d357453129d0c28743f8652

SHA256
71bc5eecdf6e6f29523ca5c6aef193a97227d9fc6432097de8aefcab5ef96c87

SHA512
3dab0584670134002ddba3d939e701ca6c8bcf439f4b8578dcf9009c05bd58dbeef949726ec04701b4ca6b28a1bd1588780d7a70520ea1347d20720e1427f6b1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
0c534c91178e3f9c38f5b0375ec2d232

SHA1
465ed98a6a0e4a7e19bd078efe77023abb23d5c1

SHA256
6d483f816e0dcd9163a21c21e881c8beb2666c419353fd4fbfde0fc83c752574

SHA512
9b870189a515bde581355a3330604764402ced1e9b750398d5b3a17eb9369e7acaef74bf0f7eeb8d37b6eca83853a2b26f764e8dce1977e3b259a3f4f939bd11

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
86a43f399013f141a9d837aa147b6653

SHA1
b269ac0b581babb22cd33d4a5656c806f69254c3

SHA256
38ee4e89d14986f352cba1786e964831b4dc7c05ef0bf07d580208f978af17e1

SHA512
95596ac6a51db340a3b8ffe939822c9b82cf3461f7eb962ae0be6810a0d380578aff0f21b9964e8dfdbaa69896975713d4ca1901724ebf9b3078edcd09928dff

Download Submit
memory/1348-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1348-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1348-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1348-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1348-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1444-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1444-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1820-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1820-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2068-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2068-23-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/2068-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2292-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-45-0x00000000007E0000-0x0000000000804000-memory.dmp

Filesize
144KB

Download
memory/2292-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2328-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2804-69-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2804-73-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2904-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2904-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download