neconyd | 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0ab

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe
Size

96KB
MD5

f4e9b81146e3a7c76fcd136712d9be40
SHA1

e7cffad0e338c3f13e179bc3920d40c144d0d3ed
SHA256

61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0ab
SHA512

4c3cbd65c12714a99d99e49aa5881c0c0b2bc11587a996df34b052754bd0643af83239087659ddd2458cb92f247109b60a40f65f66d4e716a294956d0f4fa8c5
SSDEEP

1536:inAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:iGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3060	omsecor.exe
2528	omsecor.exe
1652	omsecor.exe
2016	omsecor.exe
1368	omsecor.exe
2180	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2580	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe
2580	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe
3060	omsecor.exe
2528	omsecor.exe
2528	omsecor.exe
2016	omsecor.exe
2016	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 2580	1732	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe	30
PID 3060 set thread context of 2528	3060	omsecor.exe	32
PID 1652 set thread context of 2016	1652	omsecor.exe	36
PID 1368 set thread context of 2180	1368	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2580	1732	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe	30
PID 1732 wrote to memory of 2580	1732	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe	30
PID 1732 wrote to memory of 2580	1732	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe	30
PID 1732 wrote to memory of 2580	1732	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe	30
PID 1732 wrote to memory of 2580	1732	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe	30
PID 1732 wrote to memory of 2580	1732	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe	30
PID 2580 wrote to memory of 3060	2580	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe	31
PID 2580 wrote to memory of 3060	2580	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe	31
PID 2580 wrote to memory of 3060	2580	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe	31
PID 2580 wrote to memory of 3060	2580	61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe	31
PID 3060 wrote to memory of 2528	3060	omsecor.exe	32
PID 3060 wrote to memory of 2528	3060	omsecor.exe	32
PID 3060 wrote to memory of 2528	3060	omsecor.exe	32
PID 3060 wrote to memory of 2528	3060	omsecor.exe	32
PID 3060 wrote to memory of 2528	3060	omsecor.exe	32
PID 3060 wrote to memory of 2528	3060	omsecor.exe	32
PID 2528 wrote to memory of 1652	2528	omsecor.exe	35
PID 2528 wrote to memory of 1652	2528	omsecor.exe	35
PID 2528 wrote to memory of 1652	2528	omsecor.exe	35
PID 2528 wrote to memory of 1652	2528	omsecor.exe	35
PID 1652 wrote to memory of 2016	1652	omsecor.exe	36
PID 1652 wrote to memory of 2016	1652	omsecor.exe	36
PID 1652 wrote to memory of 2016	1652	omsecor.exe	36
PID 1652 wrote to memory of 2016	1652	omsecor.exe	36
PID 1652 wrote to memory of 2016	1652	omsecor.exe	36
PID 1652 wrote to memory of 2016	1652	omsecor.exe	36
PID 2016 wrote to memory of 1368	2016	omsecor.exe	37
PID 2016 wrote to memory of 1368	2016	omsecor.exe	37
PID 2016 wrote to memory of 1368	2016	omsecor.exe	37
PID 2016 wrote to memory of 1368	2016	omsecor.exe	37
PID 1368 wrote to memory of 2180	1368	omsecor.exe	38
PID 1368 wrote to memory of 2180	1368	omsecor.exe	38
PID 1368 wrote to memory of 2180	1368	omsecor.exe	38
PID 1368 wrote to memory of 2180	1368	omsecor.exe	38
PID 1368 wrote to memory of 2180	1368	omsecor.exe	38
PID 1368 wrote to memory of 2180	1368	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe
"C:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe
  C:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ade8001189cc18070d30d77c5dfdce99

SHA1
9b33f7b3971ccec383efbff6d30b7a5346b63360

SHA256
934d37f15847e569564c9321e60a5f85212c6fa8c63bf2f426e7fad46f47d800

SHA512
7f3c4f498d188d4fc4a4a6587e9992b9284d4e7eeb4d4f37610add4aa4b58b2a2f0d18692bde1a3d0f31a8561cc3b3c0db8907d6e28c7231469b080a2ae9fa2b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d6cde7a7cf20b346d76295b971389460

SHA1
ff3cc55e86376709dd911174fce51a95198f710e

SHA256
9aeb54ceee8664ec7a212e83fcb271c492a1cd832cf6698d68ac7d1fcd44d34f

SHA512
e6bab3650d868485bbb9f94e98450de8d4e97e689dc7df9be0a09919ea0ff0c8c294b15036fe45d07087e318fdc97332bedb659dbbbd06af3e7c93373ba1d388

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
3a68cd3ca1fe7519f20edf6d718fc813

SHA1
1a20a9a2fab0157bd85e41e378f12e1fbfa71f4b

SHA256
a454de8a161f256a11115bd1a4e73e58edc2c924c358e5af4d1797442fd38208

SHA512
2bc49096fa3c514843abfe8d49e1627b66e39310fd4b10626d05da4461f377159bddfcbd8e37ba9be8c97b41979106124b947a79211d0a73b51d726984607b43

Download Submit
memory/1368-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1652-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1652-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1732-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1732-9-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1732-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2016-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2180-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-49-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2580-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3060-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/3060-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3060-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download