neconyd | 44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe
Size

134KB
MD5

bd6ce6b625fe5fbbad2e65eb4db34a40
SHA1

0215172cc69119d8f0f088b58f64c5a281f44fef
SHA256

44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699
SHA512

7e2654c3b984a9298284e60bfb0f6adabe78c5d2516c06ce0c6e02cd402a91254a92259c3bb8c03e4af419b9a83173ae216b5f920194498e9dba3128ee4c0f92
SSDEEP

1536:bDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7l:XiRTeH0NqAW6J6f1tqF6dngNmaZC7Mc

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2448	omsecor.exe
2464	omsecor.exe
2980	omsecor.exe
2012	omsecor.exe
1992	omsecor.exe
2560	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2372	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe
2372	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe
2448	omsecor.exe
2464	omsecor.exe
2464	omsecor.exe
2012	omsecor.exe
2012	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 2372	1748	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe	30
PID 2448 set thread context of 2464	2448	omsecor.exe	32
PID 2980 set thread context of 2012	2980	omsecor.exe	36
PID 1992 set thread context of 2560	1992	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2372	1748	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe	30
PID 1748 wrote to memory of 2372	1748	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe	30
PID 1748 wrote to memory of 2372	1748	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe	30
PID 1748 wrote to memory of 2372	1748	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe	30
PID 1748 wrote to memory of 2372	1748	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe	30
PID 1748 wrote to memory of 2372	1748	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe	30
PID 2372 wrote to memory of 2448	2372	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe	31
PID 2372 wrote to memory of 2448	2372	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe	31
PID 2372 wrote to memory of 2448	2372	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe	31
PID 2372 wrote to memory of 2448	2372	44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe	31
PID 2448 wrote to memory of 2464	2448	omsecor.exe	32
PID 2448 wrote to memory of 2464	2448	omsecor.exe	32
PID 2448 wrote to memory of 2464	2448	omsecor.exe	32
PID 2448 wrote to memory of 2464	2448	omsecor.exe	32
PID 2448 wrote to memory of 2464	2448	omsecor.exe	32
PID 2448 wrote to memory of 2464	2448	omsecor.exe	32
PID 2464 wrote to memory of 2980	2464	omsecor.exe	35
PID 2464 wrote to memory of 2980	2464	omsecor.exe	35
PID 2464 wrote to memory of 2980	2464	omsecor.exe	35
PID 2464 wrote to memory of 2980	2464	omsecor.exe	35
PID 2980 wrote to memory of 2012	2980	omsecor.exe	36
PID 2980 wrote to memory of 2012	2980	omsecor.exe	36
PID 2980 wrote to memory of 2012	2980	omsecor.exe	36
PID 2980 wrote to memory of 2012	2980	omsecor.exe	36
PID 2980 wrote to memory of 2012	2980	omsecor.exe	36
PID 2980 wrote to memory of 2012	2980	omsecor.exe	36
PID 2012 wrote to memory of 1992	2012	omsecor.exe	37
PID 2012 wrote to memory of 1992	2012	omsecor.exe	37
PID 2012 wrote to memory of 1992	2012	omsecor.exe	37
PID 2012 wrote to memory of 1992	2012	omsecor.exe	37
PID 1992 wrote to memory of 2560	1992	omsecor.exe	38
PID 1992 wrote to memory of 2560	1992	omsecor.exe	38
PID 1992 wrote to memory of 2560	1992	omsecor.exe	38
PID 1992 wrote to memory of 2560	1992	omsecor.exe	38
PID 1992 wrote to memory of 2560	1992	omsecor.exe	38
PID 1992 wrote to memory of 2560	1992	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe
"C:\Users\Admin\AppData\Local\Temp\44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe
  C:\Users\Admin\AppData\Local\Temp\44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e96e2fa17da362ff1d69f68772cc0483

SHA1
ad0768500d34ac4950b3007661ea52b6b2c31031

SHA256
a3835757c4e5f8f428012ff659bbc30e23e9206983ab036052b712acf402bb00

SHA512
9a87766a4ca8a7435614611369f627c8852a6b78b1d9f544152e8941f855cd55d875c1cae92ed7c84acd627c423be62300eaaa44e08b8f71d771e3d5eae57beb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
7931b9e3414b127b62be847428e4c9af

SHA1
d456b7a23a04cce29315595ecfe7cfa1edff32d2

SHA256
415aea8d85f2b500ac86e26a17fa8d25f32f89b60bd65655367b44813499cff8

SHA512
1c58f93585500eda07f2b6ff93d5599ac9093c70b9a857a41553a49afc13af099f55e38e4f9a299fd7901cf1478dc23e33c300a9bc62059c48787d559ee15508

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
d8680d5a34deafe2f3bc251e8114510c

SHA1
570ac21899a786779c0a00613cf70e347dba685c

SHA256
9d85ee0db601d6a88a52534d95bb954c28a52f291bfb604b7e62bb4eb06aa37d

SHA512
5ee212900ec1893f0c6a0e27d8a3ee6cb9c01b7de544349e994b9b3766661c0bbe1e3536492d8e52a28f21f95d14a4dc9faff717480290366a14eaf34f95ad23

Download Submit
memory/1748-7-0x0000000000340000-0x0000000000364000-memory.dmp

Filesize
144KB

Download
memory/1748-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1748-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1992-81-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2012-68-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2372-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2372-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2372-14-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2372-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2372-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2448-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2464-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2464-45-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/2464-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2464-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2464-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2464-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-84-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2980-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download