neconyd | 2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe
Size

134KB
MD5

3ec3676a6b7abe2484e9c50e4c7ec589
SHA1

4b88f104b7cf08b432aa246a2700db1e71748c8f
SHA256

2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11
SHA512

c5a6c1964305d99c2124a576d0b3f915af386a2135a3b8c14c806773506dffaca088ff58c018ac61418975e04129848adad97852660c4a181633e514e3cdb16f
SSDEEP

1536:1DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiF:ViRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2572	omsecor.exe
2052	omsecor.exe
2000	omsecor.exe
2912	omsecor.exe
2040	omsecor.exe
2988	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2028	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe
2028	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe
2572	omsecor.exe
2052	omsecor.exe
2052	omsecor.exe
2912	omsecor.exe
2912	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 2028	2320	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe	30
PID 2572 set thread context of 2052	2572	omsecor.exe	32
PID 2000 set thread context of 2912	2000	omsecor.exe	36
PID 2040 set thread context of 2988	2040	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2028	2320	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe	30
PID 2320 wrote to memory of 2028	2320	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe	30
PID 2320 wrote to memory of 2028	2320	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe	30
PID 2320 wrote to memory of 2028	2320	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe	30
PID 2320 wrote to memory of 2028	2320	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe	30
PID 2320 wrote to memory of 2028	2320	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe	30
PID 2028 wrote to memory of 2572	2028	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe	31
PID 2028 wrote to memory of 2572	2028	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe	31
PID 2028 wrote to memory of 2572	2028	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe	31
PID 2028 wrote to memory of 2572	2028	2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe	31
PID 2572 wrote to memory of 2052	2572	omsecor.exe	32
PID 2572 wrote to memory of 2052	2572	omsecor.exe	32
PID 2572 wrote to memory of 2052	2572	omsecor.exe	32
PID 2572 wrote to memory of 2052	2572	omsecor.exe	32
PID 2572 wrote to memory of 2052	2572	omsecor.exe	32
PID 2572 wrote to memory of 2052	2572	omsecor.exe	32
PID 2052 wrote to memory of 2000	2052	omsecor.exe	35
PID 2052 wrote to memory of 2000	2052	omsecor.exe	35
PID 2052 wrote to memory of 2000	2052	omsecor.exe	35
PID 2052 wrote to memory of 2000	2052	omsecor.exe	35
PID 2000 wrote to memory of 2912	2000	omsecor.exe	36
PID 2000 wrote to memory of 2912	2000	omsecor.exe	36
PID 2000 wrote to memory of 2912	2000	omsecor.exe	36
PID 2000 wrote to memory of 2912	2000	omsecor.exe	36
PID 2000 wrote to memory of 2912	2000	omsecor.exe	36
PID 2000 wrote to memory of 2912	2000	omsecor.exe	36
PID 2912 wrote to memory of 2040	2912	omsecor.exe	37
PID 2912 wrote to memory of 2040	2912	omsecor.exe	37
PID 2912 wrote to memory of 2040	2912	omsecor.exe	37
PID 2912 wrote to memory of 2040	2912	omsecor.exe	37
PID 2040 wrote to memory of 2988	2040	omsecor.exe	38
PID 2040 wrote to memory of 2988	2040	omsecor.exe	38
PID 2040 wrote to memory of 2988	2040	omsecor.exe	38
PID 2040 wrote to memory of 2988	2040	omsecor.exe	38
PID 2040 wrote to memory of 2988	2040	omsecor.exe	38
PID 2040 wrote to memory of 2988	2040	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe
"C:\Users\Admin\AppData\Local\Temp\2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe
  C:\Users\Admin\AppData\Local\Temp\2392e1c3406dbe8d715a8e2d84625941c6f887f4106890645935f2f842439a11.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
058a081e15562c868978d4a42435ad42

SHA1
7ab21d4622866fee92fc10c2ddaf1d499e544001

SHA256
3821a156e60289477024c7d01a234030ba2f21727cc1b4e49eef1860df10abc7

SHA512
a728f797753be8b08bf3298c8d7c3b3e58d77197ee7cd319033a87f18baeaf5a4868d294a31f1303b1e00df7af119d815753bc67acbf6d2bc0ac949ac994aee4

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d0f2dd34b16f41109fd7d2c850f0f2ea

SHA1
a53d9a8846470cccaaaa90aaa281384b06cc48e3

SHA256
fea9f710bc11652d117704a22e4d9fd4c35e3bf65e889f3c9eb56b49b46af477

SHA512
eaf40fc93a135b47023bd436ecc64944c39729b73a25bca5c1f2ecd621e9dda9596c9e29ebc68ba1aab6766fa7ba936ad2231c88076d7db9f86ebdeb8daa9be4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
ac4ace4bbe0311f719eea5c2e12b1119

SHA1
cc980270f216133814f49ca0aec9bd6a6d2fd522

SHA256
64ffd609bec3850637e1a0dd549ed8c04a43e6323eae26f348787bd3d6c90e1c

SHA512
f7559af49758a0f862a8e0f6ef09449279e66958a26a185bb64b440ae4fa3a6bb3fdd944622f05a142335c54f49c338be1f8a67ccfc4b2f62665073137c5c2fc

Download Submit
memory/2000-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2000-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2028-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2028-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2052-46-0x0000000000310000-0x0000000000334000-memory.dmp

Filesize
144KB

Download
memory/2052-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2052-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2052-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2052-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2052-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2052-52-0x0000000000310000-0x0000000000334000-memory.dmp

Filesize
144KB

Download
memory/2320-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2320-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2572-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2572-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2572-23-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2912-70-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2988-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download