neconyd | b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe
Size

96KB
MD5

f13492ee049c526f1bec0f01336068ad
SHA1

d07e251fb43f1a109b4b0b7c7c4fb293c6fdb674
SHA256

b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944
SHA512

4af168910ceba3f00fa73bf83660f4b4bfbe0e8e78c3c6d34b4309469aba0f086e51e885544cd7879b68cfe9e723a83da879f9c31d0afb81b34770a1ca559b63
SSDEEP

1536:BnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:BGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2688	omsecor.exe
2892	omsecor.exe
2072	omsecor.exe
780	omsecor.exe
2408	omsecor.exe
2392	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2800	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe
2800	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe
2688	omsecor.exe
2892	omsecor.exe
2892	omsecor.exe
780	omsecor.exe
780	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2704 set thread context of 2800	2704	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe	31
PID 2688 set thread context of 2892	2688	omsecor.exe	33
PID 2072 set thread context of 780	2072	omsecor.exe	36
PID 2408 set thread context of 2392	2408	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2800	2704	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe	31
PID 2704 wrote to memory of 2800	2704	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe	31
PID 2704 wrote to memory of 2800	2704	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe	31
PID 2704 wrote to memory of 2800	2704	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe	31
PID 2704 wrote to memory of 2800	2704	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe	31
PID 2704 wrote to memory of 2800	2704	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe	31
PID 2800 wrote to memory of 2688	2800	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe	32
PID 2800 wrote to memory of 2688	2800	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe	32
PID 2800 wrote to memory of 2688	2800	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe	32
PID 2800 wrote to memory of 2688	2800	b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe	32
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2892 wrote to memory of 2072	2892	omsecor.exe	35
PID 2892 wrote to memory of 2072	2892	omsecor.exe	35
PID 2892 wrote to memory of 2072	2892	omsecor.exe	35
PID 2892 wrote to memory of 2072	2892	omsecor.exe	35
PID 2072 wrote to memory of 780	2072	omsecor.exe	36
PID 2072 wrote to memory of 780	2072	omsecor.exe	36
PID 2072 wrote to memory of 780	2072	omsecor.exe	36
PID 2072 wrote to memory of 780	2072	omsecor.exe	36
PID 2072 wrote to memory of 780	2072	omsecor.exe	36
PID 2072 wrote to memory of 780	2072	omsecor.exe	36
PID 780 wrote to memory of 2408	780	omsecor.exe	37
PID 780 wrote to memory of 2408	780	omsecor.exe	37
PID 780 wrote to memory of 2408	780	omsecor.exe	37
PID 780 wrote to memory of 2408	780	omsecor.exe	37
PID 2408 wrote to memory of 2392	2408	omsecor.exe	38
PID 2408 wrote to memory of 2392	2408	omsecor.exe	38
PID 2408 wrote to memory of 2392	2408	omsecor.exe	38
PID 2408 wrote to memory of 2392	2408	omsecor.exe	38
PID 2408 wrote to memory of 2392	2408	omsecor.exe	38
PID 2408 wrote to memory of 2392	2408	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe
"C:\Users\Admin\AppData\Local\Temp\b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe
  C:\Users\Admin\AppData\Local\Temp\b5f26e581a6820ac1a64a1491ff41cc5380ff5092a8ccef3ffe4a78f3512e944.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1912b262feb9e637c298f0a93305c918

SHA1
39494753a25184601df5816ee34011b9ef09d4b0

SHA256
c156c4a95f74c8d20b461cc15134d8bca64e423e1bf3912069add0c81638b795

SHA512
38f2851337c9204b04a2eba591a4b2b39cea122978288552b72c60eb21291315d13ee9fb3ebcebec337c96a4904bc25326568386e07e38ebb4bb5b7e5ef75a7c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
09f970558b7f66bce550861c6afbac78

SHA1
410c9bb394cef4cdd687ffc97e0e6e9802c7b644

SHA256
382456b08fc5b37db4ccaa9c8b9c60636bed2e5a505c780f8910fa6623844295

SHA512
c09bb9791ffed0e4014c1d205d5a5f0cec4c11b2b566434af186978f8bc48ee197de7f3e412fa35942b5cb28764899c5b71283effea901884455adf9f58f0e84

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
247f3e0585131ee44aedb37c6c3f6793

SHA1
0adac72c98020f7b7cc8dbdc43339cc5dcaf08bc

SHA256
99dec4e15c002a62a8366e2ef59031051cd509c7e88dcecaba3c8e7a1be5e6d3

SHA512
5aae2ac4bad0c948b18eb23fe09804ec0c4e09ecc11577529e1b7a918d8938ef753ad523217a2e5a908048270e71bb3bef2249d2ad48ef07bab0102d82236e31

Download Submit
memory/780-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2072-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2392-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2392-95-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2408-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2688-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2688-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2704-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2704-6-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2704-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2800-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-15-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2800-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-58-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2892-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-91-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2892-48-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2892-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download