neconyd | 1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe
Size

134KB
MD5

9e1819eedab3513d2b838dfec76000a0
SHA1

aa5d7cb394186c042f3e06eae176f5bf0af8a933
SHA256

1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99
SHA512

3c556e7651560e3651c8bff3aa156c226abe95a2dc13370e3fc300b9c3f7423d00e359f276ca5616901b6ad54af8f6d37ecdbee0970162002a42860b855ae057
SSDEEP

1536:KDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi9:siRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2668	omsecor.exe
2868	omsecor.exe
1308	omsecor.exe
2988	omsecor.exe
2124	omsecor.exe
1176	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2828	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe
2828	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe
2668	omsecor.exe
2868	omsecor.exe
2868	omsecor.exe
2988	omsecor.exe
2988	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2828	2708	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe	30
PID 2668 set thread context of 2868	2668	omsecor.exe	32
PID 1308 set thread context of 2988	1308	omsecor.exe	36
PID 2124 set thread context of 1176	2124	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2828	2708	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe	30
PID 2708 wrote to memory of 2828	2708	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe	30
PID 2708 wrote to memory of 2828	2708	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe	30
PID 2708 wrote to memory of 2828	2708	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe	30
PID 2708 wrote to memory of 2828	2708	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe	30
PID 2708 wrote to memory of 2828	2708	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe	30
PID 2828 wrote to memory of 2668	2828	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe	31
PID 2828 wrote to memory of 2668	2828	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe	31
PID 2828 wrote to memory of 2668	2828	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe	31
PID 2828 wrote to memory of 2668	2828	1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe	31
PID 2668 wrote to memory of 2868	2668	omsecor.exe	32
PID 2668 wrote to memory of 2868	2668	omsecor.exe	32
PID 2668 wrote to memory of 2868	2668	omsecor.exe	32
PID 2668 wrote to memory of 2868	2668	omsecor.exe	32
PID 2668 wrote to memory of 2868	2668	omsecor.exe	32
PID 2668 wrote to memory of 2868	2668	omsecor.exe	32
PID 2868 wrote to memory of 1308	2868	omsecor.exe	35
PID 2868 wrote to memory of 1308	2868	omsecor.exe	35
PID 2868 wrote to memory of 1308	2868	omsecor.exe	35
PID 2868 wrote to memory of 1308	2868	omsecor.exe	35
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 1308 wrote to memory of 2988	1308	omsecor.exe	36
PID 2988 wrote to memory of 2124	2988	omsecor.exe	37
PID 2988 wrote to memory of 2124	2988	omsecor.exe	37
PID 2988 wrote to memory of 2124	2988	omsecor.exe	37
PID 2988 wrote to memory of 2124	2988	omsecor.exe	37
PID 2124 wrote to memory of 1176	2124	omsecor.exe	38
PID 2124 wrote to memory of 1176	2124	omsecor.exe	38
PID 2124 wrote to memory of 1176	2124	omsecor.exe	38
PID 2124 wrote to memory of 1176	2124	omsecor.exe	38
PID 2124 wrote to memory of 1176	2124	omsecor.exe	38
PID 2124 wrote to memory of 1176	2124	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe
"C:\Users\Admin\AppData\Local\Temp\1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe
  C:\Users\Admin\AppData\Local\Temp\1e9ca37646c0b527ce04a0b28dacb158bb1625f05249dba0570d9c40ec9e3b99N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1308
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
a20a11e17973bcf9f9ff3a841eb9e80d

SHA1
9c7bddb753d5b5bd000bb31d60e972d795664ff7

SHA256
b447bd6f12253dcbd529299aece48b11972212ed15f1262489431b4d35957f60

SHA512
9525ee123b79d87da37a6c70852dd1955228c1cca76ec38570586c76b366a98143f44d6792b4053cc12374a49279ec9fb74fcb671dc7845fd002f9b3daddd67e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
78c79b32a1102009f91f23e44059561e

SHA1
827f522c19b36974ebe6f461315465de9b12ad88

SHA256
3b936c4587ae6b36f10faaff42729dd0a89c25a1cb39330a3a0615f53e78de8e

SHA512
07514320548990eb9ba56fe3f295db4b157b17f69812d8f0038f57ec2a94a414189eb5bb655c56ee74ff08d23b5971ad0b6dd2cb1476a0e18dd842b89d2c7cdb

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
4e548fc70324505600126440c058a639

SHA1
50318142e191e4b295040d17fdd66691cde9658b

SHA256
647b0030dbf3c029646224fa498322423f427ad357b4fa1d3e11305f866e6afa

SHA512
2a1eb6d32c6c0e6c77750c203282bb81f5b065e7a367e3a4e894c7eb2d8a43a8a21f1c216cda03f7c4f8a8408957c3e87df205e48df882808531bc925c423ae1

Download Submit
memory/1176-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1308-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2124-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2668-23-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2668-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-33-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/2708-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2828-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-13-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2828-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-46-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download
memory/2868-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-68-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download