neconyd | 89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/12/2024, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
Size

134KB
MD5

3d5b3c7cb20af8977f78ccfefb8cc367
SHA1

d0e1ad339d0e8741bb966323522734498e5f81dd
SHA256

89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0
SHA512

c695929ab9ab7fa93ea43d476b5b55bbe586b1b9a559dcfeee641b4f1016f6573d5def299a96eac55815f1d42e6d8138701e324244f695663490401fe2a822ae
SSDEEP

1536:KDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiV:siRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2876	omsecor.exe
2312	omsecor.exe
2064	omsecor.exe
1888	omsecor.exe
1896	omsecor.exe
1884	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2160	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
2160	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
2876	omsecor.exe
2312	omsecor.exe
2312	omsecor.exe
1888	omsecor.exe
1888	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 2160	1152	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 2876 set thread context of 2312	2876	omsecor.exe	32
PID 2064 set thread context of 1888	2064	omsecor.exe	36
PID 1896 set thread context of 1884	1896	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2160	1152	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 1152 wrote to memory of 2160	1152	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 1152 wrote to memory of 2160	1152	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 1152 wrote to memory of 2160	1152	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 1152 wrote to memory of 2160	1152	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 1152 wrote to memory of 2160	1152	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 2160 wrote to memory of 2876	2160	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	31
PID 2160 wrote to memory of 2876	2160	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	31
PID 2160 wrote to memory of 2876	2160	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	31
PID 2160 wrote to memory of 2876	2160	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	31
PID 2876 wrote to memory of 2312	2876	omsecor.exe	32
PID 2876 wrote to memory of 2312	2876	omsecor.exe	32
PID 2876 wrote to memory of 2312	2876	omsecor.exe	32
PID 2876 wrote to memory of 2312	2876	omsecor.exe	32
PID 2876 wrote to memory of 2312	2876	omsecor.exe	32
PID 2876 wrote to memory of 2312	2876	omsecor.exe	32
PID 2312 wrote to memory of 2064	2312	omsecor.exe	35
PID 2312 wrote to memory of 2064	2312	omsecor.exe	35
PID 2312 wrote to memory of 2064	2312	omsecor.exe	35
PID 2312 wrote to memory of 2064	2312	omsecor.exe	35
PID 2064 wrote to memory of 1888	2064	omsecor.exe	36
PID 2064 wrote to memory of 1888	2064	omsecor.exe	36
PID 2064 wrote to memory of 1888	2064	omsecor.exe	36
PID 2064 wrote to memory of 1888	2064	omsecor.exe	36
PID 2064 wrote to memory of 1888	2064	omsecor.exe	36
PID 2064 wrote to memory of 1888	2064	omsecor.exe	36
PID 1888 wrote to memory of 1896	1888	omsecor.exe	37
PID 1888 wrote to memory of 1896	1888	omsecor.exe	37
PID 1888 wrote to memory of 1896	1888	omsecor.exe	37
PID 1888 wrote to memory of 1896	1888	omsecor.exe	37
PID 1896 wrote to memory of 1884	1896	omsecor.exe	38
PID 1896 wrote to memory of 1884	1896	omsecor.exe	38
PID 1896 wrote to memory of 1884	1896	omsecor.exe	38
PID 1896 wrote to memory of 1884	1896	omsecor.exe	38
PID 1896 wrote to memory of 1884	1896	omsecor.exe	38
PID 1896 wrote to memory of 1884	1896	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
"C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
  C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
529cfc078ce3b52562b16400dd734c8d

SHA1
f3a3708bee97734670490363f99b2ad8c81e811b

SHA256
c6c34050f8ed5ee9dfb5b3aa96e32d1520fc22302deb2c18e54f5a08625a444a

SHA512
72043eb189a8e6af5caf618073693780817a284d7727da911f3638435586aba8b2ac1f296fa7b54ee87230fbd4fe296f6544deeb1b17dcb522806d62e05282c4

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
ab8d57234c92a23433e94fb0e8eb486d

SHA1
acf04dd15a97237f6327c4bf8b00cc71642a65cb

SHA256
621320b873aadb679c2b4f3927f023194c7fb693b6174ff8f8d827f40c684c95

SHA512
c2194c34a756e123eedeac2eb3aea1cd69f1b1963b69e5eb363ea047ef19d5748c6c1a00298f1f03c5d6a36fd45cd84bb3b263bacd0914b34cf9e7cb22d16478

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
5b4f7023f1ebf3b7857e4b4e70726304

SHA1
7b71eb79c532cdc71a6e1428a14094ab38e234d1

SHA256
89763e3deed5d44ea4c94a0aedc0bd5980d6338d512ea652bc2af80b504fb15d

SHA512
acd44491021eade4b54dd617f3756951c5295333db3ccb582b1e25a39940c468afe4497903058785b99f99bbe26efde780b4f2e69c2b51fb7de49cb375d06125

Download Submit
memory/1152-36-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/1152-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1152-7-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/1152-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1884-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1888-72-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1896-87-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1896-80-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2064-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2160-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-21-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/2160-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2160-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-20-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/2312-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2312-49-0x0000000001FA0000-0x0000000001FC4000-memory.dmp

Filesize
144KB

Download
memory/2312-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2312-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2312-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2312-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2876-26-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/2876-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2876-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download