neconyd | b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240e

Analysis

max time kernel
116s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe
Size

96KB
MD5

3eb7248df35c054d346056f771ab83d0
SHA1

f9746f6f83101432d6b81f169597116c9e74e815
SHA256

b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240e
SHA512

1949f2bdd4d12d34f8f1a7f734abec83db0574cd88f0a82482e3a2f513f1962ca8627ce7d1ddd7fde92f5d5425faadcd4bf8b809d8f785b511ee34fc62617971
SSDEEP

1536:unAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:uGs8cd8eXlYairZYqMddH13p

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1936	omsecor.exe
2528	omsecor.exe
796	omsecor.exe
1656	omsecor.exe
1940	omsecor.exe
2956	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2564	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe
2564	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe
1936	omsecor.exe
2528	omsecor.exe
2528	omsecor.exe
1656	omsecor.exe
1656	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 2564	1832	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe	30
PID 1936 set thread context of 2528	1936	omsecor.exe	32
PID 796 set thread context of 1656	796	omsecor.exe	36
PID 1940 set thread context of 2956	1940	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2564	1832	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe	30
PID 1832 wrote to memory of 2564	1832	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe	30
PID 1832 wrote to memory of 2564	1832	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe	30
PID 1832 wrote to memory of 2564	1832	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe	30
PID 1832 wrote to memory of 2564	1832	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe	30
PID 1832 wrote to memory of 2564	1832	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe	30
PID 2564 wrote to memory of 1936	2564	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe	31
PID 2564 wrote to memory of 1936	2564	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe	31
PID 2564 wrote to memory of 1936	2564	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe	31
PID 2564 wrote to memory of 1936	2564	b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe	31
PID 1936 wrote to memory of 2528	1936	omsecor.exe	32
PID 1936 wrote to memory of 2528	1936	omsecor.exe	32
PID 1936 wrote to memory of 2528	1936	omsecor.exe	32
PID 1936 wrote to memory of 2528	1936	omsecor.exe	32
PID 1936 wrote to memory of 2528	1936	omsecor.exe	32
PID 1936 wrote to memory of 2528	1936	omsecor.exe	32
PID 2528 wrote to memory of 796	2528	omsecor.exe	35
PID 2528 wrote to memory of 796	2528	omsecor.exe	35
PID 2528 wrote to memory of 796	2528	omsecor.exe	35
PID 2528 wrote to memory of 796	2528	omsecor.exe	35
PID 796 wrote to memory of 1656	796	omsecor.exe	36
PID 796 wrote to memory of 1656	796	omsecor.exe	36
PID 796 wrote to memory of 1656	796	omsecor.exe	36
PID 796 wrote to memory of 1656	796	omsecor.exe	36
PID 796 wrote to memory of 1656	796	omsecor.exe	36
PID 796 wrote to memory of 1656	796	omsecor.exe	36
PID 1656 wrote to memory of 1940	1656	omsecor.exe	37
PID 1656 wrote to memory of 1940	1656	omsecor.exe	37
PID 1656 wrote to memory of 1940	1656	omsecor.exe	37
PID 1656 wrote to memory of 1940	1656	omsecor.exe	37
PID 1940 wrote to memory of 2956	1940	omsecor.exe	38
PID 1940 wrote to memory of 2956	1940	omsecor.exe	38
PID 1940 wrote to memory of 2956	1940	omsecor.exe	38
PID 1940 wrote to memory of 2956	1940	omsecor.exe	38
PID 1940 wrote to memory of 2956	1940	omsecor.exe	38
PID 1940 wrote to memory of 2956	1940	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe
"C:\Users\Admin\AppData\Local\Temp\b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe
  C:\Users\Admin\AppData\Local\Temp\b480246bd25b419fe841a5156e0851d3817239270adad281a51351a01525240eN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:796
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
242501458c63f49b394d04108e0fa0f9

SHA1
ee3cfdd0766d5d3861322e53948cc8cb22dfad11

SHA256
02957d16d60dfd6fb23518613adde7e89f16749b0dd661b1fcf0961a4b9677b4

SHA512
c045ee08f8575a2b3498f497b7184bdb6f43f0e7178d68f21dd85ed087bd09ff93ab045e2cab204952e075cef7278c1c6ec07eb5e79c83a237078ae0f38ddd1f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
11f9bd3f7e51dc4055ba2754df304cce

SHA1
551d80a3c44d747a8d8035cd1eace12416a830b6

SHA256
1cb4c98bb46e51a7852289baccf6a56cebed4b214ad72e31d07b2e2bcac94c87

SHA512
c8f88b2dc40b1c27123c1c0984ac941099e03a804457a56a1987522f248afe8132b445b701e23c85433ebb6b7cb385fa87e6a49d1bc68b612ba78351d31dfa1f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c13df34b22c77ea5536370e8d21db7c6

SHA1
701cb13c227bc934a2cde706bb79d25fd34abff1

SHA256
218828aabb6a5816632d4a14dd70fac94643c8aa7d38a59b2ff9b001654a3f85

SHA512
6db693279ff36e212ba1a2ead41fd86d2d6cef7955499c6ac86ece717674de4a737ed2871c75c6ff011627ce1f4feeb705030454c7f3aff064691a3bbb8b4c3b

Download Submit
memory/796-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/796-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1656-75-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/1832-1-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/1832-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1832-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1936-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1936-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1940-83-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1940-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2528-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-50-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2528-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-23-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2564-37-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2564-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-15-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2564-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2956-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download