neconyd | de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe
Size

96KB
MD5

45f4352a4d3d6ae1d060f857a561d31e
SHA1

3ad478217477fd01bd5f7506b23cddf7287bb513
SHA256

de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc
SHA512

338dba83885f49274a02bd9306a8c9c01e3593b31636bf5559070af79962d21b5ce2fb43d778ce2c471711fd1f72452225c314a0bcbc980c908a3f4235d74cb9
SSDEEP

1536:inAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:iGs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
860	omsecor.exe
1528	omsecor.exe
2948	omsecor.exe
588	omsecor.exe
2152	omsecor.exe
2204	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2752	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe
2752	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe
860	omsecor.exe
1528	omsecor.exe
1528	omsecor.exe
588	omsecor.exe
588	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2820 set thread context of 2752	2820	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe	30
PID 860 set thread context of 1528	860	omsecor.exe	32
PID 2948 set thread context of 588	2948	omsecor.exe	35
PID 2152 set thread context of 2204	2152	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2752	2820	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe	30
PID 2820 wrote to memory of 2752	2820	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe	30
PID 2820 wrote to memory of 2752	2820	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe	30
PID 2820 wrote to memory of 2752	2820	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe	30
PID 2820 wrote to memory of 2752	2820	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe	30
PID 2820 wrote to memory of 2752	2820	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe	30
PID 2752 wrote to memory of 860	2752	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe	31
PID 2752 wrote to memory of 860	2752	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe	31
PID 2752 wrote to memory of 860	2752	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe	31
PID 2752 wrote to memory of 860	2752	de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe	31
PID 860 wrote to memory of 1528	860	omsecor.exe	32
PID 860 wrote to memory of 1528	860	omsecor.exe	32
PID 860 wrote to memory of 1528	860	omsecor.exe	32
PID 860 wrote to memory of 1528	860	omsecor.exe	32
PID 860 wrote to memory of 1528	860	omsecor.exe	32
PID 860 wrote to memory of 1528	860	omsecor.exe	32
PID 1528 wrote to memory of 2948	1528	omsecor.exe	34
PID 1528 wrote to memory of 2948	1528	omsecor.exe	34
PID 1528 wrote to memory of 2948	1528	omsecor.exe	34
PID 1528 wrote to memory of 2948	1528	omsecor.exe	34
PID 2948 wrote to memory of 588	2948	omsecor.exe	35
PID 2948 wrote to memory of 588	2948	omsecor.exe	35
PID 2948 wrote to memory of 588	2948	omsecor.exe	35
PID 2948 wrote to memory of 588	2948	omsecor.exe	35
PID 2948 wrote to memory of 588	2948	omsecor.exe	35
PID 2948 wrote to memory of 588	2948	omsecor.exe	35
PID 588 wrote to memory of 2152	588	omsecor.exe	36
PID 588 wrote to memory of 2152	588	omsecor.exe	36
PID 588 wrote to memory of 2152	588	omsecor.exe	36
PID 588 wrote to memory of 2152	588	omsecor.exe	36
PID 2152 wrote to memory of 2204	2152	omsecor.exe	37
PID 2152 wrote to memory of 2204	2152	omsecor.exe	37
PID 2152 wrote to memory of 2204	2152	omsecor.exe	37
PID 2152 wrote to memory of 2204	2152	omsecor.exe	37
PID 2152 wrote to memory of 2204	2152	omsecor.exe	37
PID 2152 wrote to memory of 2204	2152	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe
"C:\Users\Admin\AppData\Local\Temp\de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe
  C:\Users\Admin\AppData\Local\Temp\de4fbc62602a5f3cb36828b626944110db06fd3421683124303dbcd8871328fc.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
86b8a847d9948af88cc7e6264060a925

SHA1
33f312781035a839e9f6128a41d26963bf756d46

SHA256
c195593c0086de00fa77fc971509a4a840e5789b10d3bf15bf52178b767fa072

SHA512
0bdf016b953bea8b772b94363094eb0b6679410cccc52642438f0d1538c5571b44004cdb411f14d3563b1b0739eb96b7593376732cf1fe7c12e377df66cbed09

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
57cbbb25a28e9447ffdf801c7cb65e7a

SHA1
a3fcff0044f9fdcbd3a3d049554aa7556cf8524d

SHA256
0d5c596c1dfc4a5fb49ddfef63b3015fd86a0e1ce6bc742e0b608ac0e58fb872

SHA512
d7755adb089370cb6491cff687acab84e782a1b0f28586f2c94f26e22357d01464d1a3a10026990a7fd649f6ab971d7e4d1a89d7d5bdf4a80bc48fd543bacfbe

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9d0fcce0b504b48f449fd5c7b4a6597f

SHA1
1aea342a182e7d91e5d0cdba77d9db03fec38373

SHA256
d798b09a051e00e6c50c98187c2084f6a9e1a908224162b6ef1aa4696e899419

SHA512
2a81b65cfdb10c5da7df25a437ef10e9a1f095ecf832f0a9509b4a510f37acafa3558e051c01156c532cf0f80646b558fc299bfbf9eb5b220fc8a1ed6eec7cec

Download Submit
memory/860-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/860-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1528-48-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/1528-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1528-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1528-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1528-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1528-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2152-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2152-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2204-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-19-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2752-21-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2752-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2820-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2820-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2948-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2948-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download