neconyd | f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051a

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe
Size

96KB
MD5

eb8c205941d1fc8787f4eb990ab6ff30
SHA1

b14c6682a68a62207e630b32d04ab476565f0aed
SHA256

f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051a
SHA512

f8f22ad5da59e1ab8b0c3cc6e14cac7016ea7b41b44e189bb968a4d0c8f06669b073825407a4db8006e178068391bc20a2608f8ede14f2187f5b70412ed62984
SSDEEP

1536:onAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:oGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1660	omsecor.exe
2252	omsecor.exe
320	omsecor.exe
1760	omsecor.exe
2392	omsecor.exe
1856	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2536	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe
2536	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe
1660	omsecor.exe
2252	omsecor.exe
2252	omsecor.exe
1760	omsecor.exe
1760	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 2536	2420	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe	31
PID 1660 set thread context of 2252	1660	omsecor.exe	33
PID 320 set thread context of 1760	320	omsecor.exe	37
PID 2392 set thread context of 1856	2392	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2536	2420	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe	31
PID 2420 wrote to memory of 2536	2420	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe	31
PID 2420 wrote to memory of 2536	2420	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe	31
PID 2420 wrote to memory of 2536	2420	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe	31
PID 2420 wrote to memory of 2536	2420	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe	31
PID 2420 wrote to memory of 2536	2420	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe	31
PID 2536 wrote to memory of 1660	2536	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe	32
PID 2536 wrote to memory of 1660	2536	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe	32
PID 2536 wrote to memory of 1660	2536	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe	32
PID 2536 wrote to memory of 1660	2536	f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe	32
PID 1660 wrote to memory of 2252	1660	omsecor.exe	33
PID 1660 wrote to memory of 2252	1660	omsecor.exe	33
PID 1660 wrote to memory of 2252	1660	omsecor.exe	33
PID 1660 wrote to memory of 2252	1660	omsecor.exe	33
PID 1660 wrote to memory of 2252	1660	omsecor.exe	33
PID 1660 wrote to memory of 2252	1660	omsecor.exe	33
PID 2252 wrote to memory of 320	2252	omsecor.exe	36
PID 2252 wrote to memory of 320	2252	omsecor.exe	36
PID 2252 wrote to memory of 320	2252	omsecor.exe	36
PID 2252 wrote to memory of 320	2252	omsecor.exe	36
PID 320 wrote to memory of 1760	320	omsecor.exe	37
PID 320 wrote to memory of 1760	320	omsecor.exe	37
PID 320 wrote to memory of 1760	320	omsecor.exe	37
PID 320 wrote to memory of 1760	320	omsecor.exe	37
PID 320 wrote to memory of 1760	320	omsecor.exe	37
PID 320 wrote to memory of 1760	320	omsecor.exe	37
PID 1760 wrote to memory of 2392	1760	omsecor.exe	38
PID 1760 wrote to memory of 2392	1760	omsecor.exe	38
PID 1760 wrote to memory of 2392	1760	omsecor.exe	38
PID 1760 wrote to memory of 2392	1760	omsecor.exe	38
PID 2392 wrote to memory of 1856	2392	omsecor.exe	39
PID 2392 wrote to memory of 1856	2392	omsecor.exe	39
PID 2392 wrote to memory of 1856	2392	omsecor.exe	39
PID 2392 wrote to memory of 1856	2392	omsecor.exe	39
PID 2392 wrote to memory of 1856	2392	omsecor.exe	39
PID 2392 wrote to memory of 1856	2392	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe
"C:\Users\Admin\AppData\Local\Temp\f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe
  C:\Users\Admin\AppData\Local\Temp\f58f93502ddab409e19510cafa303890b56b4f889728a69b28f5019fc73f051aN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f8fc16ff72b1784161e44a7a9728a756

SHA1
3653b4b7fcbefb4fe72a91caf2d14e54d60bf8fc

SHA256
c202942c62a0da9cfc0a7e593b2cce16696d37383798fef09bf9a8d113766a7f

SHA512
595995ea10100e2af22c4f2a1a123450b27f0676470e2e617f1a616d09033ef3cdc5f145b1d63b249b4e71a34b327dbf309f85dd239d5b9a564916f289f22419

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f2fd7bbcd976fec76f368d9f5d62ed40

SHA1
9ac778eb2c2ec7c2612d847d463e0701c06e3083

SHA256
23a1fb0a6ff73990a6006cbc097d663327ed9e1a7d8e2bfcfb3ad21c9f5abbd5

SHA512
68f8a3e85cd6dd13c2bc0a8fecc64584ebd1ed4ca0f569b9868609ba2d5b7dc42dfb31ed32060af5bcf023a42a0ff249bbc18468ee45a0e0df3fe06d10e9067b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
4e6be40d756de85b725ca6a31aed7059

SHA1
30630cd457486c11a59ea0fa6cca35c73f2a062c

SHA256
69fae7b3b7fc3b78e68c2e3eca268aeaa3dcdfe4fd9251ed1cdd5e784417fac8

SHA512
98105f0ea2893cd985cced292f7cbaa24b2fecbf627e11ee5a3e069415012e80113cc47aa67ce78bc39da9ee5a87e93ade0c4cce70d9a810398e15ed3272fb7a

Download Submit
memory/320-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/320-55-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1660-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1660-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1660-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1760-89-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/1760-77-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/1856-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-52-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2252-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-51-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2392-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2392-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2420-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2420-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2536-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download