neconyd | cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18

Analysis

max time kernel
116s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
Size

134KB
MD5

8d074aebb35db37fa02fc5d476e7ad59
SHA1

40ed0d486d32072df7027a71088816c22560a3de
SHA256

cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18
SHA512

3ba0c94ed1ffb469c73614867e5c808c68fc3a1b5efdd923a63b0ee02d36545f6bc1b61d43fbed78fa09606639fbbd2dc2570e6996337f20ef0618cabdf7a6e9
SSDEEP

1536:BDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCit:hiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2292	omsecor.exe
2572	omsecor.exe
3056	omsecor.exe
2900	omsecor.exe
2340	omsecor.exe
1868	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2568	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
2568	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
2292	omsecor.exe
2572	omsecor.exe
2572	omsecor.exe
2900	omsecor.exe
2900	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 2568	1968	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	30
PID 2292 set thread context of 2572	2292	omsecor.exe	32
PID 3056 set thread context of 2900	3056	omsecor.exe	35
PID 2340 set thread context of 1868	2340	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2568	1968	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	30
PID 1968 wrote to memory of 2568	1968	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	30
PID 1968 wrote to memory of 2568	1968	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	30
PID 1968 wrote to memory of 2568	1968	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	30
PID 1968 wrote to memory of 2568	1968	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	30
PID 1968 wrote to memory of 2568	1968	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	30
PID 2568 wrote to memory of 2292	2568	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	31
PID 2568 wrote to memory of 2292	2568	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	31
PID 2568 wrote to memory of 2292	2568	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	31
PID 2568 wrote to memory of 2292	2568	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	31
PID 2292 wrote to memory of 2572	2292	omsecor.exe	32
PID 2292 wrote to memory of 2572	2292	omsecor.exe	32
PID 2292 wrote to memory of 2572	2292	omsecor.exe	32
PID 2292 wrote to memory of 2572	2292	omsecor.exe	32
PID 2292 wrote to memory of 2572	2292	omsecor.exe	32
PID 2292 wrote to memory of 2572	2292	omsecor.exe	32
PID 2572 wrote to memory of 3056	2572	omsecor.exe	34
PID 2572 wrote to memory of 3056	2572	omsecor.exe	34
PID 2572 wrote to memory of 3056	2572	omsecor.exe	34
PID 2572 wrote to memory of 3056	2572	omsecor.exe	34
PID 3056 wrote to memory of 2900	3056	omsecor.exe	35
PID 3056 wrote to memory of 2900	3056	omsecor.exe	35
PID 3056 wrote to memory of 2900	3056	omsecor.exe	35
PID 3056 wrote to memory of 2900	3056	omsecor.exe	35
PID 3056 wrote to memory of 2900	3056	omsecor.exe	35
PID 3056 wrote to memory of 2900	3056	omsecor.exe	35
PID 2900 wrote to memory of 2340	2900	omsecor.exe	36
PID 2900 wrote to memory of 2340	2900	omsecor.exe	36
PID 2900 wrote to memory of 2340	2900	omsecor.exe	36
PID 2900 wrote to memory of 2340	2900	omsecor.exe	36
PID 2340 wrote to memory of 1868	2340	omsecor.exe	37
PID 2340 wrote to memory of 1868	2340	omsecor.exe	37
PID 2340 wrote to memory of 1868	2340	omsecor.exe	37
PID 2340 wrote to memory of 1868	2340	omsecor.exe	37
PID 2340 wrote to memory of 1868	2340	omsecor.exe	37
PID 2340 wrote to memory of 1868	2340	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
"C:\Users\Admin\AppData\Local\Temp\cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
  C:\Users\Admin\AppData\Local\Temp\cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
3fb1a3db2ef295c014dcdec27162c2da

SHA1
4e862937c4fa8b2750c825f1496c18d13f03d053

SHA256
6f8bb46c80870277a570f085c489b2295e0af82e1d8fe11e9dcd75c3811ee049

SHA512
07e6da6b4517856ef5a7b4735d074e9c0f6b293211de76b43f6b027fa5663555b76deeba2019f7327dde4df78c1152ad733b479318cbe3d0ef115c6e4c120468

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
c697d77083870828b2ff05a5e1ac5e4a

SHA1
d232eee1c1f5f952fa2a67bee0a6ad6729de4c66

SHA256
e75d548e02057fc575cb5bb1d09ef42ebfb5d9fd891df29434134d866396aa5a

SHA512
553bdefae7c6da78110c84bfb084690f29c6b6b1a090398dca33f2fb119d34047ff782d5d5562973e0171b87b97b7bef788b771b5ac0e344efbaad371cc7ef4f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
8dc26bc27c03ef9c7abada3481edc555

SHA1
f27b49559dcfbe5c88c5a3ff127029504a57dcde

SHA256
bea7363d8f4968de3d5ecb4f9c909cb6f154d1fdfb10a36ad645bc767bae4fde

SHA512
d4b2cce5e117ab97cdee8239aaa80a4608c0f0037c3ba91a50ae55d25e40ac814813f28eb7907aff493ed180a36e6e09f0e27f5a808f64076c8e0534975d656d

Download Submit
memory/1868-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1968-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1968-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1968-33-0x0000000000430000-0x0000000000454000-memory.dmp

Filesize
144KB

Download
memory/2292-23-0x0000000000430000-0x0000000000454000-memory.dmp

Filesize
144KB

Download
memory/2292-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2292-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2340-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2340-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2568-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2572-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2572-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2572-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2572-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2572-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-69-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/3056-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3056-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download