neconyd | c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Size

96KB
MD5

e3e2a0768e41f6c02ff6bad57caec4f2
SHA1

dc5c7d021301f8eb3b80a9ac0359db3376c5881c
SHA256

c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16
SHA512

1d93d89c672b16844a29ae876414cf13b537370fa93009dcde6f614ca317a023ce6cfb16b0624c3b6f935ef6491f034c62aa388e50ce680594bf1d094a074cd3
SSDEEP

1536:6nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:6Gs8cd8eXlYairZYqMddH13p

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2804	omsecor.exe
2880	omsecor.exe
844	omsecor.exe
1164	omsecor.exe
2068	omsecor.exe
1276	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2640	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
2640	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
2804	omsecor.exe
2880	omsecor.exe
2880	omsecor.exe
1164	omsecor.exe
1164	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2640	3044	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 2804 set thread context of 2880	2804	omsecor.exe	32
PID 844 set thread context of 1164	844	omsecor.exe	35
PID 2068 set thread context of 1276	2068	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2640	3044	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 3044 wrote to memory of 2640	3044	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 3044 wrote to memory of 2640	3044	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 3044 wrote to memory of 2640	3044	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 3044 wrote to memory of 2640	3044	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 3044 wrote to memory of 2640	3044	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 2640 wrote to memory of 2804	2640	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	31
PID 2640 wrote to memory of 2804	2640	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	31
PID 2640 wrote to memory of 2804	2640	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	31
PID 2640 wrote to memory of 2804	2640	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	31
PID 2804 wrote to memory of 2880	2804	omsecor.exe	32
PID 2804 wrote to memory of 2880	2804	omsecor.exe	32
PID 2804 wrote to memory of 2880	2804	omsecor.exe	32
PID 2804 wrote to memory of 2880	2804	omsecor.exe	32
PID 2804 wrote to memory of 2880	2804	omsecor.exe	32
PID 2804 wrote to memory of 2880	2804	omsecor.exe	32
PID 2880 wrote to memory of 844	2880	omsecor.exe	34
PID 2880 wrote to memory of 844	2880	omsecor.exe	34
PID 2880 wrote to memory of 844	2880	omsecor.exe	34
PID 2880 wrote to memory of 844	2880	omsecor.exe	34
PID 844 wrote to memory of 1164	844	omsecor.exe	35
PID 844 wrote to memory of 1164	844	omsecor.exe	35
PID 844 wrote to memory of 1164	844	omsecor.exe	35
PID 844 wrote to memory of 1164	844	omsecor.exe	35
PID 844 wrote to memory of 1164	844	omsecor.exe	35
PID 844 wrote to memory of 1164	844	omsecor.exe	35
PID 1164 wrote to memory of 2068	1164	omsecor.exe	36
PID 1164 wrote to memory of 2068	1164	omsecor.exe	36
PID 1164 wrote to memory of 2068	1164	omsecor.exe	36
PID 1164 wrote to memory of 2068	1164	omsecor.exe	36
PID 2068 wrote to memory of 1276	2068	omsecor.exe	37
PID 2068 wrote to memory of 1276	2068	omsecor.exe	37
PID 2068 wrote to memory of 1276	2068	omsecor.exe	37
PID 2068 wrote to memory of 1276	2068	omsecor.exe	37
PID 2068 wrote to memory of 1276	2068	omsecor.exe	37
PID 2068 wrote to memory of 1276	2068	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
"C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
  C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:844
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e83c70d10771baa4741362a7cab850d1

SHA1
93b95b01b1c49ca4a5a86fde0ff7fc4e269cdf5a

SHA256
e4bbc899e402b5eff75a8cd6085f11a6e412f4e894d51439366fe53351b2062f

SHA512
cabf8de1e09acb8f628f015dbd7d94d03107ef4f8b58b73895c4e7d36899dab270919fbd7676d21faee7a3368339c9458da7f0fa4caa327e9d58884f6db4873d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
480a1e4d9a886327f336edbc48dee8c2

SHA1
bb4c254ed0fcf180ba0769ece81d47c58c10be47

SHA256
4d35b692bde7355551ce1811f6f3113808d2d6a4622501407adf6f4c38a0e960

SHA512
adf16b9c25d725f6f16daf7df1e705515df0ccc54720fdd5e99e4a531d0fa7e8d17cbd1e95a84f8de24b7b4e9df26c9aa014a22e87274ace267152d38d221b15

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
6ace66431146c3507f7535309383c361

SHA1
c1e8e4c8d84bd026a601b36c11aac28d4b07e236

SHA256
37d0c9f3bc4dfa799d48785ef6b2624e8654c26f86e954ba3e5e7eb002a2b274

SHA512
6e7d7e65a602bd56b9924323e09da7516424b1f69e91fef2247652384d91e8e23118824df58c2c189a23ae915b50d132a6de362d6da0ac71adb49cdad47a1a7a

Download Submit
memory/844-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/844-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1164-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1276-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2068-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2068-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2640-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2640-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2804-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2804-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2880-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-54-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2880-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-48-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2880-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3044-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3044-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download