neconyd | c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320b

Analysis

max time kernel
114s
max time network
114s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe
Size

96KB
MD5

e0fad41a8a5e4cf2c8b82e0719721a90
SHA1

95d718867024a2e636d1eab38a4dea6ebe3b5388
SHA256

c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320b
SHA512

b986901c89a82c70e3d72ad7a59ad2e92e02920a57b1115c4f5705247d69d10596a52d828dad3b22444da6938e63e946d0c75a1f937337c5c1ff9c990d778414
SSDEEP

1536:6nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:6Gs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2672	omsecor.exe
2644	omsecor.exe
1604	omsecor.exe
752	omsecor.exe
2200	omsecor.exe
1464	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2752	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe
2752	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe
2672	omsecor.exe
2644	omsecor.exe
2644	omsecor.exe
752	omsecor.exe
752	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2636 set thread context of 2752	2636	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe	30
PID 2672 set thread context of 2644	2672	omsecor.exe	32
PID 1604 set thread context of 752	1604	omsecor.exe	36
PID 2200 set thread context of 1464	2200	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2752	2636	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe	30
PID 2636 wrote to memory of 2752	2636	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe	30
PID 2636 wrote to memory of 2752	2636	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe	30
PID 2636 wrote to memory of 2752	2636	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe	30
PID 2636 wrote to memory of 2752	2636	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe	30
PID 2636 wrote to memory of 2752	2636	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe	30
PID 2752 wrote to memory of 2672	2752	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe	31
PID 2752 wrote to memory of 2672	2752	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe	31
PID 2752 wrote to memory of 2672	2752	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe	31
PID 2752 wrote to memory of 2672	2752	c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe	31
PID 2672 wrote to memory of 2644	2672	omsecor.exe	32
PID 2672 wrote to memory of 2644	2672	omsecor.exe	32
PID 2672 wrote to memory of 2644	2672	omsecor.exe	32
PID 2672 wrote to memory of 2644	2672	omsecor.exe	32
PID 2672 wrote to memory of 2644	2672	omsecor.exe	32
PID 2672 wrote to memory of 2644	2672	omsecor.exe	32
PID 2644 wrote to memory of 1604	2644	omsecor.exe	35
PID 2644 wrote to memory of 1604	2644	omsecor.exe	35
PID 2644 wrote to memory of 1604	2644	omsecor.exe	35
PID 2644 wrote to memory of 1604	2644	omsecor.exe	35
PID 1604 wrote to memory of 752	1604	omsecor.exe	36
PID 1604 wrote to memory of 752	1604	omsecor.exe	36
PID 1604 wrote to memory of 752	1604	omsecor.exe	36
PID 1604 wrote to memory of 752	1604	omsecor.exe	36
PID 1604 wrote to memory of 752	1604	omsecor.exe	36
PID 1604 wrote to memory of 752	1604	omsecor.exe	36
PID 752 wrote to memory of 2200	752	omsecor.exe	37
PID 752 wrote to memory of 2200	752	omsecor.exe	37
PID 752 wrote to memory of 2200	752	omsecor.exe	37
PID 752 wrote to memory of 2200	752	omsecor.exe	37
PID 2200 wrote to memory of 1464	2200	omsecor.exe	38
PID 2200 wrote to memory of 1464	2200	omsecor.exe	38
PID 2200 wrote to memory of 1464	2200	omsecor.exe	38
PID 2200 wrote to memory of 1464	2200	omsecor.exe	38
PID 2200 wrote to memory of 1464	2200	omsecor.exe	38
PID 2200 wrote to memory of 1464	2200	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe
"C:\Users\Admin\AppData\Local\Temp\c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe
  C:\Users\Admin\AppData\Local\Temp\c1a3ccfcfcc93958f158a9f4a94af094445cd91735c6788e0ce208dd8825320bN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c454b1a2c14d49b5e2e37169e2f488fb

SHA1
f69c22cdfdcee04625161f26f4d3c367dc58ebff

SHA256
7258a860ff45345097584a9d0bca3c304dfcc48da620bde1041d7a9b7fada09e

SHA512
258f3a59b2b6a18ceb720eaa0462131732330a1f88c7667559b14265d7e3818151d071dfe86f8a514c0ef8d3399a94c7ed4fd06b8ea9fb69e19ee142cb176c72

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c90873a74766a2c4e9a1a90da7c56e92

SHA1
215a8f5b70dc689e9e70da52e3fb609408710d3b

SHA256
5c57b71e9216480d4bb5a5ed3e4055daee030c840dd8099d6d5a229db0a5f0b0

SHA512
e2c6db0d6d362b5977c9f2bc10edbb939ffb3bee9d55ee6e8c948ce9503f24f722339125da539dcb71bc4f62fc4867d3a11026e765c1c7a2f850355d93c74f6c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
cf67884732281ccbcb7b3fb461830218

SHA1
4b6ad0ae655a0045330c34a838ce52eac6bb437f

SHA256
b755bb860bea10d0ae1640659dcdfdc78d79508a43dd301bcc98bcdafdc4bbaa

SHA512
bdcf9809dd3ce50bd92d5b4f611bb2ebd2fa1a283ab8b568e9925dcef4a2c6435653282e9f37eeba710bd6bd4484beb9cc5bfee689b12895d03bceda7172b2f4

Download Submit
memory/752-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1464-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2200-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2200-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2636-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2636-11-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2636-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2644-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-55-0x00000000028F0000-0x0000000002913000-memory.dmp

Filesize
140KB

Download
memory/2644-48-0x00000000028F0000-0x0000000002913000-memory.dmp

Filesize
140KB

Download
memory/2672-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2672-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2752-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-15-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download