neconyd | 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe
Size

134KB
MD5

d0cc2fbc746b4faaa3a62c8c3a4250e0
SHA1

f546e2be5ec764db8f258d101b80408b2873d707
SHA256

89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03
SHA512

daf0d06cca896339410182bf3edceb04e21393f74f2af4e6551042f463486002a40719451bcb253684dfd029a8d3a4197a29dc5f0c85b0c23d05191bac04d0cc
SSDEEP

1536:BDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCil:hiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2136	omsecor.exe
1148	omsecor.exe
1796	omsecor.exe
2372	omsecor.exe
1388	omsecor.exe
1456	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2400	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe
2400	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe
2136	omsecor.exe
1148	omsecor.exe
1148	omsecor.exe
2372	omsecor.exe
2372	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 2400	2908	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe	30
PID 2136 set thread context of 1148	2136	omsecor.exe	32
PID 1796 set thread context of 2372	1796	omsecor.exe	36
PID 1388 set thread context of 1456	1388	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2400	2908	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe	30
PID 2908 wrote to memory of 2400	2908	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe	30
PID 2908 wrote to memory of 2400	2908	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe	30
PID 2908 wrote to memory of 2400	2908	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe	30
PID 2908 wrote to memory of 2400	2908	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe	30
PID 2908 wrote to memory of 2400	2908	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe	30
PID 2400 wrote to memory of 2136	2400	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe	31
PID 2400 wrote to memory of 2136	2400	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe	31
PID 2400 wrote to memory of 2136	2400	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe	31
PID 2400 wrote to memory of 2136	2400	89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe	31
PID 2136 wrote to memory of 1148	2136	omsecor.exe	32
PID 2136 wrote to memory of 1148	2136	omsecor.exe	32
PID 2136 wrote to memory of 1148	2136	omsecor.exe	32
PID 2136 wrote to memory of 1148	2136	omsecor.exe	32
PID 2136 wrote to memory of 1148	2136	omsecor.exe	32
PID 2136 wrote to memory of 1148	2136	omsecor.exe	32
PID 1148 wrote to memory of 1796	1148	omsecor.exe	35
PID 1148 wrote to memory of 1796	1148	omsecor.exe	35
PID 1148 wrote to memory of 1796	1148	omsecor.exe	35
PID 1148 wrote to memory of 1796	1148	omsecor.exe	35
PID 1796 wrote to memory of 2372	1796	omsecor.exe	36
PID 1796 wrote to memory of 2372	1796	omsecor.exe	36
PID 1796 wrote to memory of 2372	1796	omsecor.exe	36
PID 1796 wrote to memory of 2372	1796	omsecor.exe	36
PID 1796 wrote to memory of 2372	1796	omsecor.exe	36
PID 1796 wrote to memory of 2372	1796	omsecor.exe	36
PID 2372 wrote to memory of 1388	2372	omsecor.exe	37
PID 2372 wrote to memory of 1388	2372	omsecor.exe	37
PID 2372 wrote to memory of 1388	2372	omsecor.exe	37
PID 2372 wrote to memory of 1388	2372	omsecor.exe	37
PID 1388 wrote to memory of 1456	1388	omsecor.exe	38
PID 1388 wrote to memory of 1456	1388	omsecor.exe	38
PID 1388 wrote to memory of 1456	1388	omsecor.exe	38
PID 1388 wrote to memory of 1456	1388	omsecor.exe	38
PID 1388 wrote to memory of 1456	1388	omsecor.exe	38
PID 1388 wrote to memory of 1456	1388	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe
"C:\Users\Admin\AppData\Local\Temp\89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe
  C:\Users\Admin\AppData\Local\Temp\89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9e6a3cc0db30598b3e8b7265efbd4834

SHA1
81d545580db097295197a3cee68e43433f353a3f

SHA256
7c31b67daab8b7049b7269a343ab62cddec8bbba9dd2dee9bde81bc3dff13b2e

SHA512
10d0be05336f19bbc63e895cf93a3c8b7b9a7994743be040a7856e1d8aca78d53865cc1e144e33972c9d9759679150db6e5f4962b7fe708898d50cf4af5b8447

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
2c878e4804ceb27b37cedb9d1920bf36

SHA1
1b6a5105f97ff3d172d2ee9730b9276bed15f274

SHA256
17b5596d1a049e7e8ffb8354a769fff25153dcae1480f2c3d3b28abfb6394ebd

SHA512
d3505c0c23313f0488d22b5419e590e449718a7674bf6bab660b962abb00cab15691b1b231f0b90734dd70da6d50b520e9b0797b5f50d28f8ca0c193c0ced6bd

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
2846931a424c221fccfaf27df4a32e25

SHA1
a2641080d8f518bac06031c852b532f0b555711b

SHA256
504bbc7a4755382e71f250b659af4bda669c0e6dd0a3ef25b0c1c292e7d50445

SHA512
c4899878162bf6433083ff85d0ff5be3faac7fb21aba3b0ec8711b23730c9062cf854bebac4d612c639581dad92ff8abb98b8b097d1e822de0b6eac669eb2333

Download Submit
memory/1148-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-48-0x00000000002D0000-0x00000000002F4000-memory.dmp

Filesize
144KB

Download
memory/1148-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1388-79-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1388-86-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1456-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1796-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2136-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2136-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2372-70-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2400-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2400-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2400-14-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2400-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2400-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2908-34-0x0000000000270000-0x0000000000294000-memory.dmp

Filesize
144KB

Download
memory/2908-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2908-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2908-7-0x0000000000270000-0x0000000000294000-memory.dmp

Filesize
144KB

Download