neconyd | 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924

Analysis

max time kernel
116s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
Size

96KB
MD5

7f41359706a5ba9171426ed05726b543
SHA1

4f18457e3a7b8ef31c19e710c2715848c88a9513
SHA256

92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924
SHA512

c98a04eb685ad7a5fde0cd4212ecec35f66c7835abfe7602a40673098855384e54492cd3fe693fe4aff5144b72fddbbe826085dc1d00ee5fa7a64aa4feb3e557
SSDEEP

1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:zGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2900	omsecor.exe
2128	omsecor.exe
1324	omsecor.exe
1548	omsecor.exe
1304	omsecor.exe
2060	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1128	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
1128	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
2900	omsecor.exe
2128	omsecor.exe
2128	omsecor.exe
1548	omsecor.exe
1548	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 1128	2116	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	30
PID 2900 set thread context of 2128	2900	omsecor.exe	32
PID 1324 set thread context of 1548	1324	omsecor.exe	36
PID 1304 set thread context of 2060	1304	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1128	2116	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	30
PID 2116 wrote to memory of 1128	2116	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	30
PID 2116 wrote to memory of 1128	2116	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	30
PID 2116 wrote to memory of 1128	2116	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	30
PID 2116 wrote to memory of 1128	2116	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	30
PID 2116 wrote to memory of 1128	2116	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	30
PID 1128 wrote to memory of 2900	1128	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	31
PID 1128 wrote to memory of 2900	1128	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	31
PID 1128 wrote to memory of 2900	1128	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	31
PID 1128 wrote to memory of 2900	1128	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	31
PID 2900 wrote to memory of 2128	2900	omsecor.exe	32
PID 2900 wrote to memory of 2128	2900	omsecor.exe	32
PID 2900 wrote to memory of 2128	2900	omsecor.exe	32
PID 2900 wrote to memory of 2128	2900	omsecor.exe	32
PID 2900 wrote to memory of 2128	2900	omsecor.exe	32
PID 2900 wrote to memory of 2128	2900	omsecor.exe	32
PID 2128 wrote to memory of 1324	2128	omsecor.exe	35
PID 2128 wrote to memory of 1324	2128	omsecor.exe	35
PID 2128 wrote to memory of 1324	2128	omsecor.exe	35
PID 2128 wrote to memory of 1324	2128	omsecor.exe	35
PID 1324 wrote to memory of 1548	1324	omsecor.exe	36
PID 1324 wrote to memory of 1548	1324	omsecor.exe	36
PID 1324 wrote to memory of 1548	1324	omsecor.exe	36
PID 1324 wrote to memory of 1548	1324	omsecor.exe	36
PID 1324 wrote to memory of 1548	1324	omsecor.exe	36
PID 1324 wrote to memory of 1548	1324	omsecor.exe	36
PID 1548 wrote to memory of 1304	1548	omsecor.exe	37
PID 1548 wrote to memory of 1304	1548	omsecor.exe	37
PID 1548 wrote to memory of 1304	1548	omsecor.exe	37
PID 1548 wrote to memory of 1304	1548	omsecor.exe	37
PID 1304 wrote to memory of 2060	1304	omsecor.exe	38
PID 1304 wrote to memory of 2060	1304	omsecor.exe	38
PID 1304 wrote to memory of 2060	1304	omsecor.exe	38
PID 1304 wrote to memory of 2060	1304	omsecor.exe	38
PID 1304 wrote to memory of 2060	1304	omsecor.exe	38
PID 1304 wrote to memory of 2060	1304	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
"C:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
  C:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e5a6576807938cf6b35bc76e0abba07a

SHA1
dda4fe19ecf9da4e251a6f5b1846c01e7135fdf6

SHA256
e0ccfea697214a97d6a41af4d8ec69da52843df65cace7a35cfe54d71eb78c10

SHA512
564e977ccf2a109ca9a65e3e0f1f55436f2e68322a87ef8d6650c51ce3eae1b13f34c57def49d3c1492e9f30fc4bf540b29f85d3fd969cf2bd581361aa5ed14d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9dbdc413fe804774161130503b9199a8

SHA1
ef553a69111de2026daa24314035c7669801b325

SHA256
7d8413771aa19283a5d68ad208aee4f409b652f6f9798ffe10af13f455dc3dcb

SHA512
63690f3b9b91a43814de9355f48c84ff742072c4990748c2960cc3b6d0c80b0f7b9d4afd2cb2a39433892d5d55ec68a3a2d58f1d241c0c1762eaf4a2af041ce9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
86afd2d879012cdf1828c9ae82bf4742

SHA1
e4809cc1f4f6f3a537448cd0eaff6ea201b9f249

SHA256
a55ef879c7a15f4fe94367692d311461f97d21559a412fbc04c61909adcc30ac

SHA512
87d131b8256db73be2c144bfde029429823d7dc677ef197579c7e07803485a7bb3c82924211b3efd9e43c3162fc5d5cadae1440754e86c61761d6bf1ed7da259

Download Submit
memory/1128-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1128-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1128-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1128-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1128-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1304-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1304-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1324-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1548-72-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/2060-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2116-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2116-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2128-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-48-0x00000000004A0000-0x00000000004C3000-memory.dmp

Filesize
140KB

Download
memory/2128-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-55-0x00000000004A0000-0x00000000004C3000-memory.dmp

Filesize
140KB

Download
memory/2128-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2900-24-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2900-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download