neconyd | 53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe
Size

96KB
MD5

c9348dc0cba4f73aa81a51eeb138d893
SHA1

0c7f37321170c0f77aa81fb0f58d64a3a8eef7c7
SHA256

53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031
SHA512

8e130ee50c0490a264c724f66da367a55daa7ca4cf68ae67b786bbb926654e66850da3581d0d2de5cf51606439049357a68de2451b075eb81bfad4889b7b25e8
SSDEEP

1536:ynAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxZ:yGs8cd8eXlYairZYqMddH13Z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2656	omsecor.exe
1752	omsecor.exe
2424	omsecor.exe
1160	omsecor.exe
1856	omsecor.exe
2332	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1784	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe
1784	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe
2656	omsecor.exe
1752	omsecor.exe
1752	omsecor.exe
1160	omsecor.exe
1160	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 1784	2628	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe	30
PID 2656 set thread context of 1752	2656	omsecor.exe	32
PID 2424 set thread context of 1160	2424	omsecor.exe	36
PID 1856 set thread context of 2332	1856	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 1784	2628	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe	30
PID 2628 wrote to memory of 1784	2628	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe	30
PID 2628 wrote to memory of 1784	2628	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe	30
PID 2628 wrote to memory of 1784	2628	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe	30
PID 2628 wrote to memory of 1784	2628	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe	30
PID 2628 wrote to memory of 1784	2628	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe	30
PID 1784 wrote to memory of 2656	1784	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe	31
PID 1784 wrote to memory of 2656	1784	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe	31
PID 1784 wrote to memory of 2656	1784	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe	31
PID 1784 wrote to memory of 2656	1784	53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe	31
PID 2656 wrote to memory of 1752	2656	omsecor.exe	32
PID 2656 wrote to memory of 1752	2656	omsecor.exe	32
PID 2656 wrote to memory of 1752	2656	omsecor.exe	32
PID 2656 wrote to memory of 1752	2656	omsecor.exe	32
PID 2656 wrote to memory of 1752	2656	omsecor.exe	32
PID 2656 wrote to memory of 1752	2656	omsecor.exe	32
PID 1752 wrote to memory of 2424	1752	omsecor.exe	35
PID 1752 wrote to memory of 2424	1752	omsecor.exe	35
PID 1752 wrote to memory of 2424	1752	omsecor.exe	35
PID 1752 wrote to memory of 2424	1752	omsecor.exe	35
PID 2424 wrote to memory of 1160	2424	omsecor.exe	36
PID 2424 wrote to memory of 1160	2424	omsecor.exe	36
PID 2424 wrote to memory of 1160	2424	omsecor.exe	36
PID 2424 wrote to memory of 1160	2424	omsecor.exe	36
PID 2424 wrote to memory of 1160	2424	omsecor.exe	36
PID 2424 wrote to memory of 1160	2424	omsecor.exe	36
PID 1160 wrote to memory of 1856	1160	omsecor.exe	37
PID 1160 wrote to memory of 1856	1160	omsecor.exe	37
PID 1160 wrote to memory of 1856	1160	omsecor.exe	37
PID 1160 wrote to memory of 1856	1160	omsecor.exe	37
PID 1856 wrote to memory of 2332	1856	omsecor.exe	38
PID 1856 wrote to memory of 2332	1856	omsecor.exe	38
PID 1856 wrote to memory of 2332	1856	omsecor.exe	38
PID 1856 wrote to memory of 2332	1856	omsecor.exe	38
PID 1856 wrote to memory of 2332	1856	omsecor.exe	38
PID 1856 wrote to memory of 2332	1856	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe
"C:\Users\Admin\AppData\Local\Temp\53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe
  C:\Users\Admin\AppData\Local\Temp\53bc90e91b950fe98d8c343cc7449809ac16b8765534a277cc6fea7d8d8ad031.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
901af09f2e81ae7c29fe99a201cb1951

SHA1
b5dafe3a56f7b15317cd89f8db2bd172472d6f5a

SHA256
94a1cff27c5225b2c0dc293dca4bd3b26dd2333ab9e767c5b9593358b862a2de

SHA512
d8d790ebe3eb5be04ef52b488ba588ea7bbc80671100d0aad6a49a046ad3a2843004c0b3b91dafa569f4484702830ee485a858c635f3cb595f4349a6fa13b02f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
21c64152e6e9801e8ae2383e74834f25

SHA1
39116aa44e03ffff0de1269e124d01033b3406db

SHA256
33ea9a8c1deca2ce31bd39c5b71945fc6488a8916af593662d550f16ebea171a

SHA512
230e6d979dec904acd16507f92527e779688d3f01e73adeeba67769126ce47813cc4f1bbf59b7939bbca4fd64e274906cef8c91dc6d562e7757bd8149a110dc7

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
90ee3da035317b39760303f6061d84e0

SHA1
33c97487fa16db8bfafccbcd64950b1ef8a25c3b

SHA256
deeec27cb3b523d4a942f8663b7bc60130c3c06afe5ef7311c5cd82b53c93adf

SHA512
5e888388b1deb0377e30d067e2da82d269fc4e13883e596c6b4e89fcdf66d27e11fb0d899b5be4f4b864c7c9a37ddcde4536f7195fab1e4a3bca27d8cc12f578

Download Submit
memory/1160-80-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/1160-78-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/1752-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1752-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1752-48-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/1752-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1752-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1752-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1784-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1856-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1856-82-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2332-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2424-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2628-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2628-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2628-34-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2656-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2656-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download