neconyd | 0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe
Size

96KB
MD5

1d3f9f35f940830fcb77a46d7848114f
SHA1

5ceba8403897681c7be2b8969e610e5a17700771
SHA256

0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb
SHA512

d4ec2cb23d8f34eda5076914efe135121294af45473c44c032a54936df95c89e635475eef72ae67d5d382567f97c6088fed6d9067a2238fcfaa0e3799c1d0ae6
SSDEEP

1536:nnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxu:nGs8cd8eXlYairZYqMddH13u

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1404	omsecor.exe
2020	omsecor.exe
2944	omsecor.exe
2716	omsecor.exe
1900	omsecor.exe
1860	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2540	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe
2540	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe
1404	omsecor.exe
2020	omsecor.exe
2020	omsecor.exe
2716	omsecor.exe
2716	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 2540	1292	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe	30
PID 1404 set thread context of 2020	1404	omsecor.exe	32
PID 2944 set thread context of 2716	2944	omsecor.exe	36
PID 1900 set thread context of 1860	1900	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2540	1292	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe	30
PID 1292 wrote to memory of 2540	1292	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe	30
PID 1292 wrote to memory of 2540	1292	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe	30
PID 1292 wrote to memory of 2540	1292	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe	30
PID 1292 wrote to memory of 2540	1292	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe	30
PID 1292 wrote to memory of 2540	1292	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe	30
PID 2540 wrote to memory of 1404	2540	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe	31
PID 2540 wrote to memory of 1404	2540	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe	31
PID 2540 wrote to memory of 1404	2540	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe	31
PID 2540 wrote to memory of 1404	2540	0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe	31
PID 1404 wrote to memory of 2020	1404	omsecor.exe	32
PID 1404 wrote to memory of 2020	1404	omsecor.exe	32
PID 1404 wrote to memory of 2020	1404	omsecor.exe	32
PID 1404 wrote to memory of 2020	1404	omsecor.exe	32
PID 1404 wrote to memory of 2020	1404	omsecor.exe	32
PID 1404 wrote to memory of 2020	1404	omsecor.exe	32
PID 2020 wrote to memory of 2944	2020	omsecor.exe	35
PID 2020 wrote to memory of 2944	2020	omsecor.exe	35
PID 2020 wrote to memory of 2944	2020	omsecor.exe	35
PID 2020 wrote to memory of 2944	2020	omsecor.exe	35
PID 2944 wrote to memory of 2716	2944	omsecor.exe	36
PID 2944 wrote to memory of 2716	2944	omsecor.exe	36
PID 2944 wrote to memory of 2716	2944	omsecor.exe	36
PID 2944 wrote to memory of 2716	2944	omsecor.exe	36
PID 2944 wrote to memory of 2716	2944	omsecor.exe	36
PID 2944 wrote to memory of 2716	2944	omsecor.exe	36
PID 2716 wrote to memory of 1900	2716	omsecor.exe	37
PID 2716 wrote to memory of 1900	2716	omsecor.exe	37
PID 2716 wrote to memory of 1900	2716	omsecor.exe	37
PID 2716 wrote to memory of 1900	2716	omsecor.exe	37
PID 1900 wrote to memory of 1860	1900	omsecor.exe	38
PID 1900 wrote to memory of 1860	1900	omsecor.exe	38
PID 1900 wrote to memory of 1860	1900	omsecor.exe	38
PID 1900 wrote to memory of 1860	1900	omsecor.exe	38
PID 1900 wrote to memory of 1860	1900	omsecor.exe	38
PID 1900 wrote to memory of 1860	1900	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe
"C:\Users\Admin\AppData\Local\Temp\0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe
  C:\Users\Admin\AppData\Local\Temp\0f568ed48edb15b1cd591aeca58a50c89a7019425e45469e37dd5f65c74f21fb.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
6d321317b860315c1a99cbab4c4a67ce

SHA1
d537f1fd558ae34ecd2249ed6d59f00e2ec76a94

SHA256
92ff0fbb65f70e7232ce7a611f63874094dd3cec2949f7c125f3673ea4fba711

SHA512
4046d233fc2af4b5e07b6182129e54932e9bfa8699af353f1f5fd99d4a33d2ae77ead0d1cbe8afa841164478f92d25b43dadada6bd30857ce4f6d449e526e96f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a3233aa3182b07b4b2be266826bc2ed5

SHA1
215aee038a0ae123b32ccd77140ca7c2a6aa2703

SHA256
03a21f484cbf2e15eb1ae2c241ebcb49f0d7452fcf008294d8849b0fa2334441

SHA512
fbb04030f4186e6c561bf00230594ce291dd477b1d06cca013441a4cb9948cd34a7c9b728fc7f0cb2d27980da0e88db77cd03a717ede2f78c8ef16a98e8ba4a7

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
1dfa94e45b6dcfd39864311deabca9ff

SHA1
256ab3c7c369df6edd3de70713106e38410904a6

SHA256
8dda8714e19879e9bf5d2f37c3f60b5790c1987ab7e453fd0b64e51d3abd0cbf

SHA512
f2d08dd49aeaf6e4f651a156e313e928176540001070875dc25a3f2e3dcb06bcb332e35c8cfcdb09f3cda6c9ac87b0af3e4196ac6c86f1aa9f435094ccb7c27f

Download Submit
memory/1292-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1292-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1404-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1404-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1404-30-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1860-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1900-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1900-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2020-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-90-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2020-48-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2540-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2540-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2944-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download