neconyd | c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe
Size

96KB
MD5

da97c6e72c9bd21569f357bbb0f30bc0
SHA1

e9dbfc9a7ecd11b4cca28f46053ccfda43e3a502
SHA256

c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7e
SHA512

7f45e174e326a791e9b5f164aae1930b237caeefd2159064f3c796ffc22147c1b7fe0533e6601072b5d772bea61fd5709b403b30dbd1945a502c7bf7a5308673
SSDEEP

1536:2nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:2Gs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2420	omsecor.exe
2404	omsecor.exe
2664	omsecor.exe
2880	omsecor.exe
1612	omsecor.exe
2636	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1992	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe
1992	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe
2420	omsecor.exe
2404	omsecor.exe
2404	omsecor.exe
2880	omsecor.exe
2880	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 1992	2156	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe	30
PID 2420 set thread context of 2404	2420	omsecor.exe	32
PID 2664 set thread context of 2880	2664	omsecor.exe	36
PID 1612 set thread context of 2636	1612	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1992	2156	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe	30
PID 2156 wrote to memory of 1992	2156	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe	30
PID 2156 wrote to memory of 1992	2156	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe	30
PID 2156 wrote to memory of 1992	2156	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe	30
PID 2156 wrote to memory of 1992	2156	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe	30
PID 2156 wrote to memory of 1992	2156	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe	30
PID 1992 wrote to memory of 2420	1992	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe	31
PID 1992 wrote to memory of 2420	1992	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe	31
PID 1992 wrote to memory of 2420	1992	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe	31
PID 1992 wrote to memory of 2420	1992	c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe	31
PID 2420 wrote to memory of 2404	2420	omsecor.exe	32
PID 2420 wrote to memory of 2404	2420	omsecor.exe	32
PID 2420 wrote to memory of 2404	2420	omsecor.exe	32
PID 2420 wrote to memory of 2404	2420	omsecor.exe	32
PID 2420 wrote to memory of 2404	2420	omsecor.exe	32
PID 2420 wrote to memory of 2404	2420	omsecor.exe	32
PID 2404 wrote to memory of 2664	2404	omsecor.exe	35
PID 2404 wrote to memory of 2664	2404	omsecor.exe	35
PID 2404 wrote to memory of 2664	2404	omsecor.exe	35
PID 2404 wrote to memory of 2664	2404	omsecor.exe	35
PID 2664 wrote to memory of 2880	2664	omsecor.exe	36
PID 2664 wrote to memory of 2880	2664	omsecor.exe	36
PID 2664 wrote to memory of 2880	2664	omsecor.exe	36
PID 2664 wrote to memory of 2880	2664	omsecor.exe	36
PID 2664 wrote to memory of 2880	2664	omsecor.exe	36
PID 2664 wrote to memory of 2880	2664	omsecor.exe	36
PID 2880 wrote to memory of 1612	2880	omsecor.exe	37
PID 2880 wrote to memory of 1612	2880	omsecor.exe	37
PID 2880 wrote to memory of 1612	2880	omsecor.exe	37
PID 2880 wrote to memory of 1612	2880	omsecor.exe	37
PID 1612 wrote to memory of 2636	1612	omsecor.exe	38
PID 1612 wrote to memory of 2636	1612	omsecor.exe	38
PID 1612 wrote to memory of 2636	1612	omsecor.exe	38
PID 1612 wrote to memory of 2636	1612	omsecor.exe	38
PID 1612 wrote to memory of 2636	1612	omsecor.exe	38
PID 1612 wrote to memory of 2636	1612	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe
"C:\Users\Admin\AppData\Local\Temp\c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe
  C:\Users\Admin\AppData\Local\Temp\c910139737601d416d81760922cbab3f7fc5b009ab7c121b33e92cdd8898fe7eN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
6318c4f9bb42c058fe0650a435c483c2

SHA1
f4edf17ad30ae826d35323e7295defdf30dbc132

SHA256
b1fcef37afeaf2f0b42809f83472248442d2f634778bde10ade00846dd602ab3

SHA512
ece2dbdf6d7d5a006266bd9802bed5e6e056b1f34f20f1285e045afdc57ac1d2622521d3920e329a6e81dfd2084cf77c7bf1ba438d28d535fbcbb4bed24f316b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1ce7d03da2ee07d0022b47192ceb238e

SHA1
4dc0d432bf581972493e2538915bea62c1fa5743

SHA256
f64231a002b9639eec447bf51af9b588b82ee3218eb51750ca85ca42a32b1893

SHA512
87c7499c6d1666a711dd07f5eed5709c4151317f2c5bdafe7cc591798a55761d47f082a7ab8ae314236659e083902676947f7e344f29468757e37130f92bc832

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
698e951c415c255a7b3b8a7f54c43942

SHA1
85ad31d0819344d828d5f57a3f2c5efa6df103b7

SHA256
1cdf7b53dd1eebf968bd354bf87e99959b9dd311970251e33c06f89dc19e8b03

SHA512
65b1645c2c9fbf824242cc92e862d97f0c1496b31d87b9445e55b6a4514a51fd540fae579c377e28beb77ae398417316e40a03622a06c11edf43ea81f3e3e5fc

Download Submit
memory/1612-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1612-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1992-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1992-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2156-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2404-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-57-0x0000000001F70000-0x0000000001F93000-memory.dmp

Filesize
140KB

Download
memory/2404-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-49-0x0000000001F70000-0x0000000001F93000-memory.dmp

Filesize
140KB

Download
memory/2404-90-0x0000000001F70000-0x0000000001F93000-memory.dmp

Filesize
140KB

Download
memory/2404-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2420-29-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2420-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2420-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2420-35-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2636-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download