neconyd | 89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
Size

134KB
MD5

3d5b3c7cb20af8977f78ccfefb8cc367
SHA1

d0e1ad339d0e8741bb966323522734498e5f81dd
SHA256

89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0
SHA512

c695929ab9ab7fa93ea43d476b5b55bbe586b1b9a559dcfeee641b4f1016f6573d5def299a96eac55815f1d42e6d8138701e324244f695663490401fe2a822ae
SSDEEP

1536:KDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiV:siRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2704	omsecor.exe
2612	omsecor.exe
2016	omsecor.exe
1032	omsecor.exe
1456	omsecor.exe
1952	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2600	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
2600	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
2704	omsecor.exe
2612	omsecor.exe
2612	omsecor.exe
1032	omsecor.exe
1032	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 2600	2980	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 2704 set thread context of 2612	2704	omsecor.exe	32
PID 2016 set thread context of 1032	2016	omsecor.exe	35
PID 1456 set thread context of 1952	1456	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2600	2980	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 2980 wrote to memory of 2600	2980	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 2980 wrote to memory of 2600	2980	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 2980 wrote to memory of 2600	2980	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 2980 wrote to memory of 2600	2980	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 2980 wrote to memory of 2600	2980	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	30
PID 2600 wrote to memory of 2704	2600	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	31
PID 2600 wrote to memory of 2704	2600	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	31
PID 2600 wrote to memory of 2704	2600	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	31
PID 2600 wrote to memory of 2704	2600	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	31
PID 2704 wrote to memory of 2612	2704	omsecor.exe	32
PID 2704 wrote to memory of 2612	2704	omsecor.exe	32
PID 2704 wrote to memory of 2612	2704	omsecor.exe	32
PID 2704 wrote to memory of 2612	2704	omsecor.exe	32
PID 2704 wrote to memory of 2612	2704	omsecor.exe	32
PID 2704 wrote to memory of 2612	2704	omsecor.exe	32
PID 2612 wrote to memory of 2016	2612	omsecor.exe	34
PID 2612 wrote to memory of 2016	2612	omsecor.exe	34
PID 2612 wrote to memory of 2016	2612	omsecor.exe	34
PID 2612 wrote to memory of 2016	2612	omsecor.exe	34
PID 2016 wrote to memory of 1032	2016	omsecor.exe	35
PID 2016 wrote to memory of 1032	2016	omsecor.exe	35
PID 2016 wrote to memory of 1032	2016	omsecor.exe	35
PID 2016 wrote to memory of 1032	2016	omsecor.exe	35
PID 2016 wrote to memory of 1032	2016	omsecor.exe	35
PID 2016 wrote to memory of 1032	2016	omsecor.exe	35
PID 1032 wrote to memory of 1456	1032	omsecor.exe	36
PID 1032 wrote to memory of 1456	1032	omsecor.exe	36
PID 1032 wrote to memory of 1456	1032	omsecor.exe	36
PID 1032 wrote to memory of 1456	1032	omsecor.exe	36
PID 1456 wrote to memory of 1952	1456	omsecor.exe	37
PID 1456 wrote to memory of 1952	1456	omsecor.exe	37
PID 1456 wrote to memory of 1952	1456	omsecor.exe	37
PID 1456 wrote to memory of 1952	1456	omsecor.exe	37
PID 1456 wrote to memory of 1952	1456	omsecor.exe	37
PID 1456 wrote to memory of 1952	1456	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
"C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
  C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
529cfc078ce3b52562b16400dd734c8d

SHA1
f3a3708bee97734670490363f99b2ad8c81e811b

SHA256
c6c34050f8ed5ee9dfb5b3aa96e32d1520fc22302deb2c18e54f5a08625a444a

SHA512
72043eb189a8e6af5caf618073693780817a284d7727da911f3638435586aba8b2ac1f296fa7b54ee87230fbd4fe296f6544deeb1b17dcb522806d62e05282c4

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
fe80c2d7b2d78d3c727c06893339c116

SHA1
6274b179e7890e7d776f0b20dce41fa481102e9c

SHA256
20e32db4c74db1a2cd1feea686182fcaac78caf9e8931bbe2fe361a8eaf11236

SHA512
85ec31a8dbb6373099123bf4afd2e8236dbc043a218fd86fb48ca3a2dea4c5954c85b8773deaee063f4a436d2718b5d5d4fcc376416dbfd539b18844b85c3a52

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
29c7bf69cd929c5b8488391d130bf155

SHA1
2c0ddd512962a0884b62c4245d1861c2e48a1fe4

SHA256
c442a1c24dc9cd471cf178ecdd79f93b3585aa54d69deb1580b81895eeaab131

SHA512
c33337db468e7847c25ca1feb6b304933feadb8d48f43aa8ea9e812789fc604628e57d86513299708c6492fa4255ce4a4ff45b0222dbeb53f216972999cde833

Download Submit
memory/1032-69-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1456-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1952-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1952-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2016-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2600-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2600-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2600-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2600-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-53-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2612-51-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2612-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2704-23-0x0000000000340000-0x0000000000364000-memory.dmp

Filesize
144KB

Download
memory/2704-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2980-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2980-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download