neconyd | 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0

Resubmissions

21/01/2025, 13:23

250121-qm6f9awmck 10

21/01/2025, 13:09

250121-qd933svrer 10

Analysis

max time kernel
142s
max time network
133s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Size

96KB
MD5

f52b87b3a347a98aaa214c53bbf3e320
SHA1

88f7e62d9b4acbb8b1a34c6c91929f4565797b4e
SHA256

123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0
SHA512

75b896379303f12c88f3b7097356df19662898761803d1cac699491a357f3bf3bdcc2487e187335983ef6c464f5eeb8e0aec47d4c866ae04246ccde05731bcf1
SSDEEP

1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:4Gs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2496	omsecor.exe
2476	omsecor.exe
340	omsecor.exe
1360	omsecor.exe
2388	omsecor.exe
2644	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1464	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
1464	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
2496	omsecor.exe
2476	omsecor.exe
2476	omsecor.exe
1360	omsecor.exe
1360	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 1464	2596	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	30
PID 2496 set thread context of 2476	2496	omsecor.exe	32
PID 340 set thread context of 1360	340	omsecor.exe	36
PID 2388 set thread context of 2644	2388	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1464	2596	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	30
PID 2596 wrote to memory of 1464	2596	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	30
PID 2596 wrote to memory of 1464	2596	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	30
PID 2596 wrote to memory of 1464	2596	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	30
PID 2596 wrote to memory of 1464	2596	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	30
PID 2596 wrote to memory of 1464	2596	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	30
PID 1464 wrote to memory of 2496	1464	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	31
PID 1464 wrote to memory of 2496	1464	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	31
PID 1464 wrote to memory of 2496	1464	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	31
PID 1464 wrote to memory of 2496	1464	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	31
PID 2496 wrote to memory of 2476	2496	omsecor.exe	32
PID 2496 wrote to memory of 2476	2496	omsecor.exe	32
PID 2496 wrote to memory of 2476	2496	omsecor.exe	32
PID 2496 wrote to memory of 2476	2496	omsecor.exe	32
PID 2496 wrote to memory of 2476	2496	omsecor.exe	32
PID 2496 wrote to memory of 2476	2496	omsecor.exe	32
PID 2476 wrote to memory of 340	2476	omsecor.exe	35
PID 2476 wrote to memory of 340	2476	omsecor.exe	35
PID 2476 wrote to memory of 340	2476	omsecor.exe	35
PID 2476 wrote to memory of 340	2476	omsecor.exe	35
PID 340 wrote to memory of 1360	340	omsecor.exe	36
PID 340 wrote to memory of 1360	340	omsecor.exe	36
PID 340 wrote to memory of 1360	340	omsecor.exe	36
PID 340 wrote to memory of 1360	340	omsecor.exe	36
PID 340 wrote to memory of 1360	340	omsecor.exe	36
PID 340 wrote to memory of 1360	340	omsecor.exe	36
PID 1360 wrote to memory of 2388	1360	omsecor.exe	37
PID 1360 wrote to memory of 2388	1360	omsecor.exe	37
PID 1360 wrote to memory of 2388	1360	omsecor.exe	37
PID 1360 wrote to memory of 2388	1360	omsecor.exe	37
PID 2388 wrote to memory of 2644	2388	omsecor.exe	38
PID 2388 wrote to memory of 2644	2388	omsecor.exe	38
PID 2388 wrote to memory of 2644	2388	omsecor.exe	38
PID 2388 wrote to memory of 2644	2388	omsecor.exe	38
PID 2388 wrote to memory of 2644	2388	omsecor.exe	38
PID 2388 wrote to memory of 2644	2388	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
"C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
  C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:340
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3ed580a195e52b712ad98701276f22d8

SHA1
fdba91bb0cdfcd6f2f65fb551baa744d98b634c6

SHA256
8e4775af7a2110c3eb14285f90948e6933d1d9625c8391b76df32faea4436682

SHA512
acc842831c96d1ccc40691b02154a7575c5ffbcf95bcb0970cbc8e9367b8de7798ec19d9a8564c344de7566bd8a548022c3c1d787be0915a5498023ac7b7c8ae

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ef0c071e2cea3394bdbde5f74948ebe4

SHA1
dcd1187d41fccbadec670f71ebed6f0086a281a5

SHA256
5f5e7c04c27a9760b77295284bb852454264977218aca88af782d3f881ba7b3f

SHA512
285751e66ef636a245e700518104f3343f8c0969d49a69f1159a1396f07856f64a26804498f2c1239c7bba37e9a090158cdba9ecd587c833bac36ba6e1f77ef1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
eed3e179b422bdb3481db58c9047c542

SHA1
f37eb9cc0f798a5a4eca5842e1a4531988208640

SHA256
ed254031ab5995f8aafd28660a7b11179c4df91f5d69198fa82ac76e8bc03f58

SHA512
26c0c860b320b420807e89aeb607ce87d1d85f2ff4a21e4ce333d58bb376c2a59d62273da7780c94d415143c02854b40eec2d0cd5b4560488524a6450744da46

Download Submit
memory/340-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1360-71-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/1464-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1464-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1464-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1464-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1464-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2388-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2476-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-47-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/2476-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2496-20-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2596-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2596-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2596-6-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2644-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download