neconyd | 80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4

Analysis

max time kernel
115s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe
Size

96KB
MD5

eda6f51861aa16c7b9618049096f7a10
SHA1

57cdb9c23c940e2c381f72ba5dd11b8d30b7ccd9
SHA256

80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4
SHA512

cd03f1ae3602caeebdd635f8f48b810aeec5d9a4c1f87bf6d1d12d8209072a8bde1a355540ab36f4676895d8d615dc02c549ccffff92363f62d03687735a3947
SSDEEP

1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:zGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2212	omsecor.exe
2976	omsecor.exe
448	omsecor.exe
1600	omsecor.exe
2372	omsecor.exe
1980	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2376	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe
2376	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe
2212	omsecor.exe
2976	omsecor.exe
2976	omsecor.exe
1600	omsecor.exe
1600	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 2376	1760	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe	30
PID 2212 set thread context of 2976	2212	omsecor.exe	32
PID 448 set thread context of 1600	448	omsecor.exe	35
PID 2372 set thread context of 1980	2372	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2376	1760	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe	30
PID 1760 wrote to memory of 2376	1760	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe	30
PID 1760 wrote to memory of 2376	1760	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe	30
PID 1760 wrote to memory of 2376	1760	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe	30
PID 1760 wrote to memory of 2376	1760	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe	30
PID 1760 wrote to memory of 2376	1760	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe	30
PID 2376 wrote to memory of 2212	2376	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe	31
PID 2376 wrote to memory of 2212	2376	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe	31
PID 2376 wrote to memory of 2212	2376	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe	31
PID 2376 wrote to memory of 2212	2376	80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe	31
PID 2212 wrote to memory of 2976	2212	omsecor.exe	32
PID 2212 wrote to memory of 2976	2212	omsecor.exe	32
PID 2212 wrote to memory of 2976	2212	omsecor.exe	32
PID 2212 wrote to memory of 2976	2212	omsecor.exe	32
PID 2212 wrote to memory of 2976	2212	omsecor.exe	32
PID 2212 wrote to memory of 2976	2212	omsecor.exe	32
PID 2976 wrote to memory of 448	2976	omsecor.exe	34
PID 2976 wrote to memory of 448	2976	omsecor.exe	34
PID 2976 wrote to memory of 448	2976	omsecor.exe	34
PID 2976 wrote to memory of 448	2976	omsecor.exe	34
PID 448 wrote to memory of 1600	448	omsecor.exe	35
PID 448 wrote to memory of 1600	448	omsecor.exe	35
PID 448 wrote to memory of 1600	448	omsecor.exe	35
PID 448 wrote to memory of 1600	448	omsecor.exe	35
PID 448 wrote to memory of 1600	448	omsecor.exe	35
PID 448 wrote to memory of 1600	448	omsecor.exe	35
PID 1600 wrote to memory of 2372	1600	omsecor.exe	36
PID 1600 wrote to memory of 2372	1600	omsecor.exe	36
PID 1600 wrote to memory of 2372	1600	omsecor.exe	36
PID 1600 wrote to memory of 2372	1600	omsecor.exe	36
PID 2372 wrote to memory of 1980	2372	omsecor.exe	37
PID 2372 wrote to memory of 1980	2372	omsecor.exe	37
PID 2372 wrote to memory of 1980	2372	omsecor.exe	37
PID 2372 wrote to memory of 1980	2372	omsecor.exe	37
PID 2372 wrote to memory of 1980	2372	omsecor.exe	37
PID 2372 wrote to memory of 1980	2372	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe
"C:\Users\Admin\AppData\Local\Temp\80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe
  C:\Users\Admin\AppData\Local\Temp\80d9454386ae597cebff0a0007cba53f5b349947e8cdbb28cc39757a8c8a25e4N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:448
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a41f48c54207c078dc11db4348587adb

SHA1
db2276dc41a503b9c37c4107631a8d437bd9d063

SHA256
e76d99738414ffdf3d4686163e748a6194454ffc3991d7b35541e9c78dffe9cb

SHA512
109842297b5303f8b1274fe4333ebe8de513cfc424649dd09952cae452114b1d251a63c5865948e5946bd79162f5fadfefcea95ee3b9fca4e4466c18677c3bbd

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ddc69940cdd9500cf26c0d960ce927a4

SHA1
cd1eb1e565f9eb29ef43e3c993c605dd056b7248

SHA256
9e1762e6fa1f8805aa5d1f761a14e06575b8d27ad7269a85777d50a111a38069

SHA512
abfd0289d3519a7018bdbc8ffbbac0b9685ac3247e4bb7e4ffa9151ea21e761635075b95681069b81c4e0454727b1966a22b996277529bbcd9143f12e2543492

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
96a153ad6faea5d0bc8b175c7fa51f4d

SHA1
99fe9ab53b799c2ca8861e21f0967373593d6c65

SHA256
b10a7e911acbd924531286353dfe9243df1598213a3d4666f17d9f572d61ac28

SHA512
7b1255d68ec248ec100336ba612a461b7e1f939e94ef993a298b6e7a13e058c34e3b6d05e53c5f643c5f3745345299375835ae5a0eefa90f1bf33c1c1c155f01

Download Submit
memory/448-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1600-74-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1760-36-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1760-9-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1760-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1760-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1980-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2212-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2212-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2212-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-82-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2376-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2376-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-49-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2976-59-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2976-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download