neconyd | f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6

Analysis

max time kernel
115s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe
Size

96KB
MD5

387ab07cb92996adfd023c9dff37a8ae
SHA1

176de07c60e6af19833c8b4243a34774beb56533
SHA256

f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6
SHA512

aa6d659c94f27baffb2d7e223073969075706bca1933b43e47193e4a3a5d5196d3a4de1faa8a767340d17c6fe5cb9ff81def7a7d07783d7735fc904abfacf8b5
SSDEEP

1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:JGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2396	omsecor.exe
2504	omsecor.exe
1868	omsecor.exe
1752	omsecor.exe
1748	omsecor.exe
1568	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2016	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe
2016	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe
2396	omsecor.exe
2504	omsecor.exe
2504	omsecor.exe
1752	omsecor.exe
1752	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 2016	2408	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe	30
PID 2396 set thread context of 2504	2396	omsecor.exe	32
PID 1868 set thread context of 1752	1868	omsecor.exe	36
PID 1748 set thread context of 1568	1748	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2016	2408	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe	30
PID 2408 wrote to memory of 2016	2408	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe	30
PID 2408 wrote to memory of 2016	2408	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe	30
PID 2408 wrote to memory of 2016	2408	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe	30
PID 2408 wrote to memory of 2016	2408	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe	30
PID 2408 wrote to memory of 2016	2408	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe	30
PID 2016 wrote to memory of 2396	2016	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe	31
PID 2016 wrote to memory of 2396	2016	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe	31
PID 2016 wrote to memory of 2396	2016	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe	31
PID 2016 wrote to memory of 2396	2016	f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe	31
PID 2396 wrote to memory of 2504	2396	omsecor.exe	32
PID 2396 wrote to memory of 2504	2396	omsecor.exe	32
PID 2396 wrote to memory of 2504	2396	omsecor.exe	32
PID 2396 wrote to memory of 2504	2396	omsecor.exe	32
PID 2396 wrote to memory of 2504	2396	omsecor.exe	32
PID 2396 wrote to memory of 2504	2396	omsecor.exe	32
PID 2504 wrote to memory of 1868	2504	omsecor.exe	35
PID 2504 wrote to memory of 1868	2504	omsecor.exe	35
PID 2504 wrote to memory of 1868	2504	omsecor.exe	35
PID 2504 wrote to memory of 1868	2504	omsecor.exe	35
PID 1868 wrote to memory of 1752	1868	omsecor.exe	36
PID 1868 wrote to memory of 1752	1868	omsecor.exe	36
PID 1868 wrote to memory of 1752	1868	omsecor.exe	36
PID 1868 wrote to memory of 1752	1868	omsecor.exe	36
PID 1868 wrote to memory of 1752	1868	omsecor.exe	36
PID 1868 wrote to memory of 1752	1868	omsecor.exe	36
PID 1752 wrote to memory of 1748	1752	omsecor.exe	37
PID 1752 wrote to memory of 1748	1752	omsecor.exe	37
PID 1752 wrote to memory of 1748	1752	omsecor.exe	37
PID 1752 wrote to memory of 1748	1752	omsecor.exe	37
PID 1748 wrote to memory of 1568	1748	omsecor.exe	38
PID 1748 wrote to memory of 1568	1748	omsecor.exe	38
PID 1748 wrote to memory of 1568	1748	omsecor.exe	38
PID 1748 wrote to memory of 1568	1748	omsecor.exe	38
PID 1748 wrote to memory of 1568	1748	omsecor.exe	38
PID 1748 wrote to memory of 1568	1748	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe
"C:\Users\Admin\AppData\Local\Temp\f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe
  C:\Users\Admin\AppData\Local\Temp\f1de45b2c0d4a42ee7e8ad45b6e37f96c2c5683667eaa6c517de51e08fe8d5b6.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
933d6255cb6f901b0ab32d3277ad9453

SHA1
bce7022952332dbd727e54ae91628a387a12d5e8

SHA256
21b4aa15fc516cdc72aaaf4405a21a703c3f2d1a29eeb51ff2fbb9a94b118328

SHA512
22fca6cb230fe0a77b68471bf11f79e7e5607fe8fed514eedf48ca4eab589bbb02725cd3bfdd4ee48d7922027686df0557d184ff00a4891aa34e80590c7b15be

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
28159e761720f9ba22dcf32a6002ea2c

SHA1
cb945e6feb62c2a832c49dae305673a8c11579ef

SHA256
42182eea6fffed48977eb4242457e5162185aac8f4c775bcfd562e958eb83302

SHA512
1b232fec3625bd7c42baefb13039f31ec996c545520e8d27b2472da468f5935e3885653da03352dc64dda69d3ce43a55bdefb3145cbd52772bef06babdc231b2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
3be2e89e39fb91afbc102cc46f3995a5

SHA1
6066c698911c2a9339af07b2cf2f4f6719aa7139

SHA256
2d2b7ba3808ade516cb88c2d53275001210b07b62853f3a77e9fd3622e8c919e

SHA512
e5655b3504fad52905afb874482930f3f75102b558e31935590d9cc8ebe1ae5bf8cfaec8673e70a80efb2f2e90a3e2154f23ad3d8c6c7f0b5a290be1c359f4ed

Download Submit
memory/1568-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1748-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1748-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1752-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1868-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1868-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2016-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2016-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2396-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-1-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/2504-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-48-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2504-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download