neconyd | 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe
Size

96KB
MD5

e33d8e4561da0b3aa0e855b14b4ce958
SHA1

5129486d7916b2686e78335045850ffbfa1a388b
SHA256

8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d
SHA512

45e7897415d09261af7bfc3d70d2569b4e69ba44ee7abfdd543c9a373bb95cae5defd7877963935ca72b791ccfadab535f56042e52458ab31555f36becea959c
SSDEEP

1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:JGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2100	omsecor.exe
2472	omsecor.exe
320	omsecor.exe
2004	omsecor.exe
2676	omsecor.exe
2260	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2156	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe
2156	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe
2100	omsecor.exe
2472	omsecor.exe
2472	omsecor.exe
2004	omsecor.exe
2004	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 2156	2288	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe	30
PID 2100 set thread context of 2472	2100	omsecor.exe	32
PID 320 set thread context of 2004	320	omsecor.exe	36
PID 2676 set thread context of 2260	2676	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2156	2288	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe	30
PID 2288 wrote to memory of 2156	2288	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe	30
PID 2288 wrote to memory of 2156	2288	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe	30
PID 2288 wrote to memory of 2156	2288	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe	30
PID 2288 wrote to memory of 2156	2288	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe	30
PID 2288 wrote to memory of 2156	2288	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe	30
PID 2156 wrote to memory of 2100	2156	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe	31
PID 2156 wrote to memory of 2100	2156	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe	31
PID 2156 wrote to memory of 2100	2156	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe	31
PID 2156 wrote to memory of 2100	2156	8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe	31
PID 2100 wrote to memory of 2472	2100	omsecor.exe	32
PID 2100 wrote to memory of 2472	2100	omsecor.exe	32
PID 2100 wrote to memory of 2472	2100	omsecor.exe	32
PID 2100 wrote to memory of 2472	2100	omsecor.exe	32
PID 2100 wrote to memory of 2472	2100	omsecor.exe	32
PID 2100 wrote to memory of 2472	2100	omsecor.exe	32
PID 2472 wrote to memory of 320	2472	omsecor.exe	35
PID 2472 wrote to memory of 320	2472	omsecor.exe	35
PID 2472 wrote to memory of 320	2472	omsecor.exe	35
PID 2472 wrote to memory of 320	2472	omsecor.exe	35
PID 320 wrote to memory of 2004	320	omsecor.exe	36
PID 320 wrote to memory of 2004	320	omsecor.exe	36
PID 320 wrote to memory of 2004	320	omsecor.exe	36
PID 320 wrote to memory of 2004	320	omsecor.exe	36
PID 320 wrote to memory of 2004	320	omsecor.exe	36
PID 320 wrote to memory of 2004	320	omsecor.exe	36
PID 2004 wrote to memory of 2676	2004	omsecor.exe	37
PID 2004 wrote to memory of 2676	2004	omsecor.exe	37
PID 2004 wrote to memory of 2676	2004	omsecor.exe	37
PID 2004 wrote to memory of 2676	2004	omsecor.exe	37
PID 2676 wrote to memory of 2260	2676	omsecor.exe	38
PID 2676 wrote to memory of 2260	2676	omsecor.exe	38
PID 2676 wrote to memory of 2260	2676	omsecor.exe	38
PID 2676 wrote to memory of 2260	2676	omsecor.exe	38
PID 2676 wrote to memory of 2260	2676	omsecor.exe	38
PID 2676 wrote to memory of 2260	2676	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe
"C:\Users\Admin\AppData\Local\Temp\8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe
  C:\Users\Admin\AppData\Local\Temp\8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a7f149bb2ecd0ccb13abbe7b560c00c9

SHA1
668e88509f9a0dddeeeb76317fbfa62eb6572d3c

SHA256
78728c58f0716c1439cc104bc46b8b19be4d933089b9a79570215309df6305ef

SHA512
56ab04ae880b920364bd0eefd9dec8323feb7cb1ed304b454779aef1e5a035a0d416b6924131759c210167abd76591facf4db2c7eb742be3dcb57e464dc5cbd5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a7f2b06bbb31d433321e70530c075994

SHA1
593a6ee2c4f9246f68d7538f33526426e4bb0917

SHA256
9107821746fa7ee9d403e3ba4e58fccd517c184e4f14542d84029a20f55a0637

SHA512
9ab08b155d14c2ba3e4b83e7d35e0fc42a5a1581336620e1be5cee14a68fb7e8d7849bd2f97bddd47b8846659303f60cc70da51b6301ec9bc7ac702e5dcc0ef2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c2d0bb9850025f7a4e9809ebe849d9fa

SHA1
25241f33dd8689429da20a034d52c6767a3bb9ea

SHA256
a10291607322da4b278409db29c078c2122b2fe32362ec45c618adfcb1e4a3b9

SHA512
6e2f4558f18f78ad8659d032fa6faea3df8fe4957061b97359fa6cdecd023aa9773657216c59af0fa7856110d35a1d8dfa5f52c83c9e594f2dcccefa8e9fb98a

Download Submit
memory/320-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/320-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2004-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2100-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2100-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2156-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2156-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-12-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2260-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2288-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2288-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2472-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2472-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2472-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2472-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2472-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2472-47-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2676-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download