neconyd | a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe
Size

134KB
MD5

0a197348ada0a4dbe7930fa2d7661220
SHA1

a5422ec34634bffcd6c46770c73015b2fda886dc
SHA256

a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380
SHA512

90fe6f284f79058ffa792217562c2062f5d17dc0fe1543dbfb02c604519e0fa6c9ee0783bdb2b6edf3a21d0aa39ad106a49f8e807a396c9d630b7bc29fc83cb3
SSDEEP

1536:GDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCin:4iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2268	omsecor.exe
776	omsecor.exe
1628	omsecor.exe
884	omsecor.exe
2752	omsecor.exe
2032	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1916	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe
1916	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe
2268	omsecor.exe
776	omsecor.exe
776	omsecor.exe
884	omsecor.exe
884	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 1916	1316	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe	28
PID 2268 set thread context of 776	2268	omsecor.exe	30
PID 1628 set thread context of 884	1628	omsecor.exe	35
PID 2752 set thread context of 2032	2752	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1916	1316	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe	28
PID 1316 wrote to memory of 1916	1316	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe	28
PID 1316 wrote to memory of 1916	1316	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe	28
PID 1316 wrote to memory of 1916	1316	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe	28
PID 1316 wrote to memory of 1916	1316	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe	28
PID 1316 wrote to memory of 1916	1316	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe	28
PID 1916 wrote to memory of 2268	1916	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe	29
PID 1916 wrote to memory of 2268	1916	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe	29
PID 1916 wrote to memory of 2268	1916	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe	29
PID 1916 wrote to memory of 2268	1916	a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe	29
PID 2268 wrote to memory of 776	2268	omsecor.exe	30
PID 2268 wrote to memory of 776	2268	omsecor.exe	30
PID 2268 wrote to memory of 776	2268	omsecor.exe	30
PID 2268 wrote to memory of 776	2268	omsecor.exe	30
PID 2268 wrote to memory of 776	2268	omsecor.exe	30
PID 2268 wrote to memory of 776	2268	omsecor.exe	30
PID 776 wrote to memory of 1628	776	omsecor.exe	34
PID 776 wrote to memory of 1628	776	omsecor.exe	34
PID 776 wrote to memory of 1628	776	omsecor.exe	34
PID 776 wrote to memory of 1628	776	omsecor.exe	34
PID 1628 wrote to memory of 884	1628	omsecor.exe	35
PID 1628 wrote to memory of 884	1628	omsecor.exe	35
PID 1628 wrote to memory of 884	1628	omsecor.exe	35
PID 1628 wrote to memory of 884	1628	omsecor.exe	35
PID 1628 wrote to memory of 884	1628	omsecor.exe	35
PID 1628 wrote to memory of 884	1628	omsecor.exe	35
PID 884 wrote to memory of 2752	884	omsecor.exe	36
PID 884 wrote to memory of 2752	884	omsecor.exe	36
PID 884 wrote to memory of 2752	884	omsecor.exe	36
PID 884 wrote to memory of 2752	884	omsecor.exe	36
PID 2752 wrote to memory of 2032	2752	omsecor.exe	37
PID 2752 wrote to memory of 2032	2752	omsecor.exe	37
PID 2752 wrote to memory of 2032	2752	omsecor.exe	37
PID 2752 wrote to memory of 2032	2752	omsecor.exe	37
PID 2752 wrote to memory of 2032	2752	omsecor.exe	37
PID 2752 wrote to memory of 2032	2752	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe
"C:\Users\Admin\AppData\Local\Temp\a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe
  C:\Users\Admin\AppData\Local\Temp\a4eb1196040e7f78b601645c9906246f1b688566b61cb11fcf3882215d5b4380.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
3e1ffdc985ad2ef564f17e9e2b7dd9a4

SHA1
e77a56d60e5a3c888c69c2dd316c59672dc8639d

SHA256
3464a24a5f7b24541b59ed98e6b08fead6f7043dd29c9b53ae39207364456b3d

SHA512
1980018492a24055be5ae9613911b75656aa2bc8cc3c586b98092965d481e97f0a05e56b72a2db9807ea69b48254336e0e4ca745a33ba011a01df3b4ae7abcd3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
35414596d1f915ca0f0f8ccaa1a9429b

SHA1
7d010efce9080f3a25c6df15167d5360b5dbbcb6

SHA256
e31c5b425414540747db8073b025a5d5c1ce71042db27e1bec3b1b520666c2af

SHA512
c32d1a7c9bf7b7ee0158dc98f89025b760895771ed75b13ad0c0f5e5b736c01679ca3c5a48ec9b0b57a83cddbdb949bfb485c57a096bced812a8435dbe21206c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
e11770fb6b4ea519ee856013f14c5fd1

SHA1
6c7d1e10e8dbd3b76a965764c05963a27dd97c1a

SHA256
6dd44ecf12d917d74330a0d2e2569796f859fe061a904f4b956277cc613f0f4f

SHA512
39285104978496d4d753e419ebb08d1df8e9f80eb3205a4fb74d8e582837c99f3a9bec19417c9255e76df63a30df8deb5125e847a48ec6f99f17d01f93ff388f

Download Submit
memory/776-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/776-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/776-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/776-56-0x0000000000440000-0x0000000000464000-memory.dmp

Filesize
144KB

Download
memory/776-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/776-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/776-48-0x0000000000440000-0x0000000000464000-memory.dmp

Filesize
144KB

Download
memory/1316-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1316-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1316-7-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/1316-35-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/1628-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1916-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1916-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1916-13-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1916-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1916-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1916-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2268-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2268-25-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/2268-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2752-79-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2752-86-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download