neconyd | c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Size

96KB
MD5

e3e2a0768e41f6c02ff6bad57caec4f2
SHA1

dc5c7d021301f8eb3b80a9ac0359db3376c5881c
SHA256

c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16
SHA512

1d93d89c672b16844a29ae876414cf13b537370fa93009dcde6f614ca317a023ce6cfb16b0624c3b6f935ef6491f034c62aa388e50ce680594bf1d094a074cd3
SSDEEP

1536:6nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:6Gs8cd8eXlYairZYqMddH13p

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2144	omsecor.exe
2568	omsecor.exe
1716	omsecor.exe
864	omsecor.exe
852	omsecor.exe
2276	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2260	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
2260	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
2144	omsecor.exe
2568	omsecor.exe
2568	omsecor.exe
864	omsecor.exe
864	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 2260	3060	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 2144 set thread context of 2568	2144	omsecor.exe	32
PID 1716 set thread context of 864	1716	omsecor.exe	36
PID 852 set thread context of 2276	852	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2260	3060	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 3060 wrote to memory of 2260	3060	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 3060 wrote to memory of 2260	3060	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 3060 wrote to memory of 2260	3060	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 3060 wrote to memory of 2260	3060	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 3060 wrote to memory of 2260	3060	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	30
PID 2260 wrote to memory of 2144	2260	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	31
PID 2260 wrote to memory of 2144	2260	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	31
PID 2260 wrote to memory of 2144	2260	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	31
PID 2260 wrote to memory of 2144	2260	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	31
PID 2144 wrote to memory of 2568	2144	omsecor.exe	32
PID 2144 wrote to memory of 2568	2144	omsecor.exe	32
PID 2144 wrote to memory of 2568	2144	omsecor.exe	32
PID 2144 wrote to memory of 2568	2144	omsecor.exe	32
PID 2144 wrote to memory of 2568	2144	omsecor.exe	32
PID 2144 wrote to memory of 2568	2144	omsecor.exe	32
PID 2568 wrote to memory of 1716	2568	omsecor.exe	35
PID 2568 wrote to memory of 1716	2568	omsecor.exe	35
PID 2568 wrote to memory of 1716	2568	omsecor.exe	35
PID 2568 wrote to memory of 1716	2568	omsecor.exe	35
PID 1716 wrote to memory of 864	1716	omsecor.exe	36
PID 1716 wrote to memory of 864	1716	omsecor.exe	36
PID 1716 wrote to memory of 864	1716	omsecor.exe	36
PID 1716 wrote to memory of 864	1716	omsecor.exe	36
PID 1716 wrote to memory of 864	1716	omsecor.exe	36
PID 1716 wrote to memory of 864	1716	omsecor.exe	36
PID 864 wrote to memory of 852	864	omsecor.exe	37
PID 864 wrote to memory of 852	864	omsecor.exe	37
PID 864 wrote to memory of 852	864	omsecor.exe	37
PID 864 wrote to memory of 852	864	omsecor.exe	37
PID 852 wrote to memory of 2276	852	omsecor.exe	38
PID 852 wrote to memory of 2276	852	omsecor.exe	38
PID 852 wrote to memory of 2276	852	omsecor.exe	38
PID 852 wrote to memory of 2276	852	omsecor.exe	38
PID 852 wrote to memory of 2276	852	omsecor.exe	38
PID 852 wrote to memory of 2276	852	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
"C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
  C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7269e3e94718b09b90d0a9b6a5d6d59c

SHA1
aa50863dc76882252704e9e2e8fee0644b47eaa7

SHA256
2c4a96d298fcbd33935ee7761b6dc842c5f95d67bd113554526d628f6f619d1a

SHA512
fb9946cb11dbd771a5263e693bb47b9a8e9157cfe10d23b647d6ade17928eb097c72768af4aff7512b11cfbdb2f0457c39fe564bcb7ea443ee501ec46bf8f3c0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
480a1e4d9a886327f336edbc48dee8c2

SHA1
bb4c254ed0fcf180ba0769ece81d47c58c10be47

SHA256
4d35b692bde7355551ce1811f6f3113808d2d6a4622501407adf6f4c38a0e960

SHA512
adf16b9c25d725f6f16daf7df1e705515df0ccc54720fdd5e99e4a531d0fa7e8d17cbd1e95a84f8de24b7b4e9df26c9aa014a22e87274ace267152d38d221b15

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
18b7a877275cc0e2d9ccbd5a8f9372d7

SHA1
250df8613c61fbc7f9cd85d52f3686d3d21623fd

SHA256
e5534275d00d1239a5fcb5d92bc0b14e14472b56a527c0e19e890bbf159eca1f

SHA512
4411a9f417f5129df8e6853e4f13ec4cb1c99cf3c40d3e0453a06b27bfa0b7b7bbc8d72d791c30922fc4ed09e0684b058b2d5841c97eea76dc036e364be4c893

Download Submit
memory/852-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/864-75-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/864-83-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/1716-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1716-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2144-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2144-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2144-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2260-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2260-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2276-96-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2276-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-50-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2568-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3060-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3060-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3060-8-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/3060-37-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download