neconyd | e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b

Analysis

max time kernel
116s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
Size

96KB
MD5

e7b21e143f78b089835bb83b0d883cd3
SHA1

b7dcac827c045891b15108cc070b14e40d4defa0
SHA256

e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b
SHA512

e3df15543382a0bfad4907ab39921afcad4eb31d82195fcdc2b97bad1c18ac3e4b970cd65f1dd32a62126e3869293bb4d8cf915f6cc6c8cd2cc4925d41c77b74
SSDEEP

1536:MnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:MGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2968	omsecor.exe
2856	omsecor.exe
3032	omsecor.exe
2420	omsecor.exe
1932	omsecor.exe
2252	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3000	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
3000	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
2968	omsecor.exe
2856	omsecor.exe
2856	omsecor.exe
2420	omsecor.exe
2420	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 3000	2592	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	30
PID 2968 set thread context of 2856	2968	omsecor.exe	32
PID 3032 set thread context of 2420	3032	omsecor.exe	35
PID 1932 set thread context of 2252	1932	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 3000	2592	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	30
PID 2592 wrote to memory of 3000	2592	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	30
PID 2592 wrote to memory of 3000	2592	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	30
PID 2592 wrote to memory of 3000	2592	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	30
PID 2592 wrote to memory of 3000	2592	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	30
PID 2592 wrote to memory of 3000	2592	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	30
PID 3000 wrote to memory of 2968	3000	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	31
PID 3000 wrote to memory of 2968	3000	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	31
PID 3000 wrote to memory of 2968	3000	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	31
PID 3000 wrote to memory of 2968	3000	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	31
PID 2968 wrote to memory of 2856	2968	omsecor.exe	32
PID 2968 wrote to memory of 2856	2968	omsecor.exe	32
PID 2968 wrote to memory of 2856	2968	omsecor.exe	32
PID 2968 wrote to memory of 2856	2968	omsecor.exe	32
PID 2968 wrote to memory of 2856	2968	omsecor.exe	32
PID 2968 wrote to memory of 2856	2968	omsecor.exe	32
PID 2856 wrote to memory of 3032	2856	omsecor.exe	34
PID 2856 wrote to memory of 3032	2856	omsecor.exe	34
PID 2856 wrote to memory of 3032	2856	omsecor.exe	34
PID 2856 wrote to memory of 3032	2856	omsecor.exe	34
PID 3032 wrote to memory of 2420	3032	omsecor.exe	35
PID 3032 wrote to memory of 2420	3032	omsecor.exe	35
PID 3032 wrote to memory of 2420	3032	omsecor.exe	35
PID 3032 wrote to memory of 2420	3032	omsecor.exe	35
PID 3032 wrote to memory of 2420	3032	omsecor.exe	35
PID 3032 wrote to memory of 2420	3032	omsecor.exe	35
PID 2420 wrote to memory of 1932	2420	omsecor.exe	36
PID 2420 wrote to memory of 1932	2420	omsecor.exe	36
PID 2420 wrote to memory of 1932	2420	omsecor.exe	36
PID 2420 wrote to memory of 1932	2420	omsecor.exe	36
PID 1932 wrote to memory of 2252	1932	omsecor.exe	37
PID 1932 wrote to memory of 2252	1932	omsecor.exe	37
PID 1932 wrote to memory of 2252	1932	omsecor.exe	37
PID 1932 wrote to memory of 2252	1932	omsecor.exe	37
PID 1932 wrote to memory of 2252	1932	omsecor.exe	37
PID 1932 wrote to memory of 2252	1932	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
"C:\Users\Admin\AppData\Local\Temp\e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
  C:\Users\Admin\AppData\Local\Temp\e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
36088bd70dbd9ff006f88a09ad20574a

SHA1
349126253b15e9568a466c5fe5cf4cd86821c7ef

SHA256
9ad15eb7382692405237767c0813bb429ba955884898505e2b5b9e8c2cb6d532

SHA512
76227c0ca1d9a14cd67c04f385d304751df05d0f79a9e720c5b198c6ba43af3e23c2a7b178503aed85c1f329b4984229dc8ce72af49caea57b09b6c61a58d1ff

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
585c4c9ea357839b6a04a1f249825846

SHA1
55710355c7a2262982cfb6ea516d97f848f75579

SHA256
324a22efaf6c5d5a293c5a0bc0637fa33d24ce9977e5a9745d4814b645c4750b

SHA512
8d73a9befb3021da72acac21087fa8bccc11caccc60e974732c0dc994ad4106262ae7bc90e89632bb8f43df3d643296999da0d4641199eb891b36b15082aca36

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
80b075081a9790f43142aeaa5b3ab422

SHA1
ebb1616cfa13fbbead41c7f566b9db5f22629314

SHA256
99cf3113dd934a37c3754456ceacbd95a6f11fcb64c57876587ef763349db10f

SHA512
8d5dd6019e7a9399094679b4dec09f68712853023d25f93d41b0daf3765b10c0644ef650d77ccc2c170a9fbf776cd99771cceedbc9f9a3c0eee891e8d98e75bc

Download Submit
memory/1932-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1932-83-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2252-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2420-93-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2420-81-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2592-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2592-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2592-10-0x0000000001B50000-0x0000000001B73000-memory.dmp

Filesize
140KB

Download
memory/2856-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-57-0x00000000028D0000-0x00000000028F3000-memory.dmp

Filesize
140KB

Download
memory/2856-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-49-0x00000000028D0000-0x00000000028F3000-memory.dmp

Filesize
140KB

Download
memory/2856-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2968-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-15-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/3000-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3000-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3032-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3032-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download