neconyd | 5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22a

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe
Size

96KB
MD5

ca3c01db3d967edf3d69a5d99266b880
SHA1

078f6b20d345d895fdb61cc1874ff6bdc44e91a3
SHA256

5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22a
SHA512

d70c02dd3f4e4d26d137f4fa971b6aa5577930f180e1ec98c19ee6a24a28936f17d3388671a8c2851ccf7905dc5eb25413c8bddd85ef383bb800f9c748152186
SSDEEP

1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:JGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1648	omsecor.exe
2620	omsecor.exe
3028	omsecor.exe
532	omsecor.exe
2360	omsecor.exe
1620	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2408	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe
2408	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe
1648	omsecor.exe
2620	omsecor.exe
2620	omsecor.exe
532	omsecor.exe
532	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2412 set thread context of 2408	2412	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe	30
PID 1648 set thread context of 2620	1648	omsecor.exe	32
PID 3028 set thread context of 532	3028	omsecor.exe	36
PID 2360 set thread context of 1620	2360	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2408	2412	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe	30
PID 2412 wrote to memory of 2408	2412	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe	30
PID 2412 wrote to memory of 2408	2412	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe	30
PID 2412 wrote to memory of 2408	2412	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe	30
PID 2412 wrote to memory of 2408	2412	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe	30
PID 2412 wrote to memory of 2408	2412	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe	30
PID 2408 wrote to memory of 1648	2408	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe	31
PID 2408 wrote to memory of 1648	2408	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe	31
PID 2408 wrote to memory of 1648	2408	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe	31
PID 2408 wrote to memory of 1648	2408	5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe	31
PID 1648 wrote to memory of 2620	1648	omsecor.exe	32
PID 1648 wrote to memory of 2620	1648	omsecor.exe	32
PID 1648 wrote to memory of 2620	1648	omsecor.exe	32
PID 1648 wrote to memory of 2620	1648	omsecor.exe	32
PID 1648 wrote to memory of 2620	1648	omsecor.exe	32
PID 1648 wrote to memory of 2620	1648	omsecor.exe	32
PID 2620 wrote to memory of 3028	2620	omsecor.exe	35
PID 2620 wrote to memory of 3028	2620	omsecor.exe	35
PID 2620 wrote to memory of 3028	2620	omsecor.exe	35
PID 2620 wrote to memory of 3028	2620	omsecor.exe	35
PID 3028 wrote to memory of 532	3028	omsecor.exe	36
PID 3028 wrote to memory of 532	3028	omsecor.exe	36
PID 3028 wrote to memory of 532	3028	omsecor.exe	36
PID 3028 wrote to memory of 532	3028	omsecor.exe	36
PID 3028 wrote to memory of 532	3028	omsecor.exe	36
PID 3028 wrote to memory of 532	3028	omsecor.exe	36
PID 532 wrote to memory of 2360	532	omsecor.exe	37
PID 532 wrote to memory of 2360	532	omsecor.exe	37
PID 532 wrote to memory of 2360	532	omsecor.exe	37
PID 532 wrote to memory of 2360	532	omsecor.exe	37
PID 2360 wrote to memory of 1620	2360	omsecor.exe	38
PID 2360 wrote to memory of 1620	2360	omsecor.exe	38
PID 2360 wrote to memory of 1620	2360	omsecor.exe	38
PID 2360 wrote to memory of 1620	2360	omsecor.exe	38
PID 2360 wrote to memory of 1620	2360	omsecor.exe	38
PID 2360 wrote to memory of 1620	2360	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe
"C:\Users\Admin\AppData\Local\Temp\5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe
  C:\Users\Admin\AppData\Local\Temp\5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3da1dd1af6e39f65b9b653a941c701bc

SHA1
703f2dbc6da9b27771c951094b192288e81c43e7

SHA256
b3b3ba05b7e716670328600b19a4a5099abbd2a4ad846e16f5df24e985bdf681

SHA512
7f8c5c8a42c3c2565c80592ad4d119a9475d78e8c107dffbd71d5263fe5383f43a67e5f77365ceeb3d92e0eddd8a2766b669930048eaf34324293db931c07d18

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
dfd7b5873166148f0846e516b0587f71

SHA1
5a43e5439c7e28929e4192f148ff5f0966fef9ef

SHA256
d11721896fa6a5b68a2241dbc951f05cdb7f81d24fc5b3b6d8342b2f142283fa

SHA512
321fe5b6f1f15618cf2b45ec5cd18f42dc6e3fd2f3eff8ed17b6c1790e087c538eeb709fd3786ce92d4c128bca374d00b6e204e6bf043feadd2358294b18e8a0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
1d28b6f8755f0e006e7cb059987ba7f8

SHA1
55e22388ca8ca1098a7ff7bcdb39b0eaedb239a3

SHA256
e7a087eac775f0b63c6f56217c69c992cc7cd482f89fb329b48f7d97d69385a3

SHA512
51d97c433ffbe291d279031179970819c34531d98a35984455fa1f3e3018ffec476c23333bf80cd83336be34a926b9eddd5d1339603ba13327489fb610105563

Download Submit
memory/532-72-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/1620-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1648-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1648-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2360-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2408-21-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2408-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2408-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2408-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2408-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2408-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2412-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2412-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2620-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2620-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2620-48-0x00000000003A0000-0x00000000003C3000-memory.dmp

Filesize
140KB

Download
memory/2620-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2620-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2620-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3028-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download