neconyd | b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/12/2024, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe
Size

134KB
MD5

b94b47d7d5e2f2ebfe6016e80093b3ca
SHA1

a6710d18bc197b67b0f43e9f1781ac52ff263466
SHA256

b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d
SHA512

3e13700b76190934efacde18628621d6438bcb249b54c214fd14606785357018e8a12a57438602357034b4bb59d4b992184e9306238ce805382ced26ae990efc
SSDEEP

1536:qDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:MiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2304	omsecor.exe
1792	omsecor.exe
1784	omsecor.exe
2060	omsecor.exe
1544	omsecor.exe
2660	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1988	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe
1988	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe
2304	omsecor.exe
1792	omsecor.exe
1792	omsecor.exe
2060	omsecor.exe
2060	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 1988	2084	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe	31
PID 2304 set thread context of 1792	2304	omsecor.exe	33
PID 1784 set thread context of 2060	1784	omsecor.exe	36
PID 1544 set thread context of 2660	1544	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1988	2084	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe	31
PID 2084 wrote to memory of 1988	2084	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe	31
PID 2084 wrote to memory of 1988	2084	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe	31
PID 2084 wrote to memory of 1988	2084	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe	31
PID 2084 wrote to memory of 1988	2084	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe	31
PID 2084 wrote to memory of 1988	2084	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe	31
PID 1988 wrote to memory of 2304	1988	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe	32
PID 1988 wrote to memory of 2304	1988	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe	32
PID 1988 wrote to memory of 2304	1988	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe	32
PID 1988 wrote to memory of 2304	1988	b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe	32
PID 2304 wrote to memory of 1792	2304	omsecor.exe	33
PID 2304 wrote to memory of 1792	2304	omsecor.exe	33
PID 2304 wrote to memory of 1792	2304	omsecor.exe	33
PID 2304 wrote to memory of 1792	2304	omsecor.exe	33
PID 2304 wrote to memory of 1792	2304	omsecor.exe	33
PID 2304 wrote to memory of 1792	2304	omsecor.exe	33
PID 1792 wrote to memory of 1784	1792	omsecor.exe	35
PID 1792 wrote to memory of 1784	1792	omsecor.exe	35
PID 1792 wrote to memory of 1784	1792	omsecor.exe	35
PID 1792 wrote to memory of 1784	1792	omsecor.exe	35
PID 1784 wrote to memory of 2060	1784	omsecor.exe	36
PID 1784 wrote to memory of 2060	1784	omsecor.exe	36
PID 1784 wrote to memory of 2060	1784	omsecor.exe	36
PID 1784 wrote to memory of 2060	1784	omsecor.exe	36
PID 1784 wrote to memory of 2060	1784	omsecor.exe	36
PID 1784 wrote to memory of 2060	1784	omsecor.exe	36
PID 2060 wrote to memory of 1544	2060	omsecor.exe	37
PID 2060 wrote to memory of 1544	2060	omsecor.exe	37
PID 2060 wrote to memory of 1544	2060	omsecor.exe	37
PID 2060 wrote to memory of 1544	2060	omsecor.exe	37
PID 1544 wrote to memory of 2660	1544	omsecor.exe	38
PID 1544 wrote to memory of 2660	1544	omsecor.exe	38
PID 1544 wrote to memory of 2660	1544	omsecor.exe	38
PID 1544 wrote to memory of 2660	1544	omsecor.exe	38
PID 1544 wrote to memory of 2660	1544	omsecor.exe	38
PID 1544 wrote to memory of 2660	1544	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe
"C:\Users\Admin\AppData\Local\Temp\b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe
  C:\Users\Admin\AppData\Local\Temp\b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e23920203856afadcb9d673c4e798a11

SHA1
0dbb4ef848104324903578c0cda156c79ad7aa57

SHA256
c15af5504c71a3b7e787e098871303c1b0458a298465cfe7a7cd97b7fec1a6e5

SHA512
8d55033484381a0390e9bcfc216bd516f1b4fd4b70f7296e776819144738fe6a969479e232e286b126720f03a0428a88c570a2dfd13cc379bdb6b5ddd432842d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
49a68460d7fd5ee29cbf699f2284316d

SHA1
aaafdea4362b927cdfb719f8da57267d079caa3d

SHA256
7ed69487cbf8e0478c8d4bd9690fd89ab88310c50b7d4c133a0efbaeeb59f580

SHA512
818f8f1462ebe001fcd92d84d78ec59f70f539fee9581c433399aa002b4d1aff49cbb4b3195029438accc8719e5ef42eb1168eff3d13e4eec6d4a19505dee0f7

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
ee0271f7abc380109206a64454a57df4

SHA1
409f209d3369b6a4370c147b101c5011f5b2a451

SHA256
3da57c9f50cc96fa55512fc7ec1817549600d2f4071e3097c29a683f8b3c5b68

SHA512
d5eeabbfd895b21e21da8345bbbc75865da188c880f9637ea0dcbd8ffc4899732670b314a4e2d2d76879d6a1cf24053303a66af490c38e1df63fbd6d40c41739

Download Submit
memory/1544-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1544-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1784-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1784-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1792-52-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/1792-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1792-51-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/1792-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1792-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1792-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1792-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1988-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1988-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1988-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1988-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1988-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2060-69-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2084-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2084-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2304-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2304-23-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/2304-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2660-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download