neconyd | f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
Size

134KB
MD5

0e016ef700da2f75e04cdea881bcbde0
SHA1

c77b00e001c8b6411438780da98f4d93ff973b16
SHA256

f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5
SHA512

0ad4b8185dab202561581b5daba7e028d36efe7bdf27a3fcb224664468517018f29dd40ba9ea00e5eaac0a72f7b0bd80c9719197677d314e9c50e124b5a141b2
SSDEEP

1536:fDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCit:LiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2528	omsecor.exe
2252	omsecor.exe
268	omsecor.exe
1664	omsecor.exe
2980	omsecor.exe
1796	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2336	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
2336	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
2528	omsecor.exe
2252	omsecor.exe
2252	omsecor.exe
1664	omsecor.exe
1664	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2336	2324	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	30
PID 2528 set thread context of 2252	2528	omsecor.exe	32
PID 268 set thread context of 1664	268	omsecor.exe	36
PID 2980 set thread context of 1796	2980	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2336	2324	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	30
PID 2324 wrote to memory of 2336	2324	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	30
PID 2324 wrote to memory of 2336	2324	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	30
PID 2324 wrote to memory of 2336	2324	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	30
PID 2324 wrote to memory of 2336	2324	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	30
PID 2324 wrote to memory of 2336	2324	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	30
PID 2336 wrote to memory of 2528	2336	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	31
PID 2336 wrote to memory of 2528	2336	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	31
PID 2336 wrote to memory of 2528	2336	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	31
PID 2336 wrote to memory of 2528	2336	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	31
PID 2528 wrote to memory of 2252	2528	omsecor.exe	32
PID 2528 wrote to memory of 2252	2528	omsecor.exe	32
PID 2528 wrote to memory of 2252	2528	omsecor.exe	32
PID 2528 wrote to memory of 2252	2528	omsecor.exe	32
PID 2528 wrote to memory of 2252	2528	omsecor.exe	32
PID 2528 wrote to memory of 2252	2528	omsecor.exe	32
PID 2252 wrote to memory of 268	2252	omsecor.exe	35
PID 2252 wrote to memory of 268	2252	omsecor.exe	35
PID 2252 wrote to memory of 268	2252	omsecor.exe	35
PID 2252 wrote to memory of 268	2252	omsecor.exe	35
PID 268 wrote to memory of 1664	268	omsecor.exe	36
PID 268 wrote to memory of 1664	268	omsecor.exe	36
PID 268 wrote to memory of 1664	268	omsecor.exe	36
PID 268 wrote to memory of 1664	268	omsecor.exe	36
PID 268 wrote to memory of 1664	268	omsecor.exe	36
PID 268 wrote to memory of 1664	268	omsecor.exe	36
PID 1664 wrote to memory of 2980	1664	omsecor.exe	37
PID 1664 wrote to memory of 2980	1664	omsecor.exe	37
PID 1664 wrote to memory of 2980	1664	omsecor.exe	37
PID 1664 wrote to memory of 2980	1664	omsecor.exe	37
PID 2980 wrote to memory of 1796	2980	omsecor.exe	38
PID 2980 wrote to memory of 1796	2980	omsecor.exe	38
PID 2980 wrote to memory of 1796	2980	omsecor.exe	38
PID 2980 wrote to memory of 1796	2980	omsecor.exe	38
PID 2980 wrote to memory of 1796	2980	omsecor.exe	38
PID 2980 wrote to memory of 1796	2980	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
"C:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
  C:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:268
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
237a4f2577e78998d6c839bba61dcdad

SHA1
60350ebe9b8f80a61f8e0239b939414a3b8f17a3

SHA256
bc97d6d04ae87c3b9b0c1bc34aa12af7fb6109559af76145f964d71d160df5e8

SHA512
dc2b0efe3fa95fb4a7bb9eec16a3bc294dfd57d60eda2f948e2f67991a951385cbf22edc5a76c59220509fc0ad8df64cbceedee8aec9d1853359f0882eab03ba

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
abba27fa85369776aed68524e96504a5

SHA1
2d6a32d94733b944912b18b8708c8c520d74e34b

SHA256
288eb5e080e855c2ceaf75bd52d2b4482fc39c1f7e083fcebecb06dce27f523f

SHA512
54de943b4e6f7894836e73c60a2e796eb66d6ea757e54cd0fbc56b0b48d1029f96df454f39a4c6581645c499914569ffb8a164abdee60ad7fc0bc8d53e6b5734

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
1b6aad8ab75143424e07beb76ed2d438

SHA1
5a63dd0af6111240d8d11ea83f232f38077aa77a

SHA256
e53277dc56bc9f42ecaaa9e5cb68b1be4e8ac7d8b6e3a9bf981632bf7174fb20

SHA512
3682205c5989698894e928070228d4eefa990940562dd9875f0cea07f88b4564634402d9169e35de19be834acf29a58ff1853932b040b35800195bd5b49898a4

Download Submit
memory/268-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/268-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1796-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-51-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/2252-52-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/2252-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2324-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2324-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2336-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2336-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2528-23-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2528-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2980-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2980-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download