neconyd | f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
Size

134KB
MD5

40f791e02669d58d787e4829aa569385
SHA1

6c7ba5f8dba69d428587efc45d567692fc8b2550
SHA256

f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d
SHA512

4b5f310d676da4179164812771154243de44bef4f4c3f2b4fc7a1ab52f7d7a33e7902114fb0be66641837c6a141e971e0b844d6d5e4f8c2c45d65a2b7214325a
SSDEEP

1536:yDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi9:kiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1936	omsecor.exe
2492	omsecor.exe
1008	omsecor.exe
660	omsecor.exe
1944	omsecor.exe
2888	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2564	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
2564	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
1936	omsecor.exe
2492	omsecor.exe
2492	omsecor.exe
660	omsecor.exe
660	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 2564	2368	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	30
PID 1936 set thread context of 2492	1936	omsecor.exe	32
PID 1008 set thread context of 660	1008	omsecor.exe	36
PID 1944 set thread context of 2888	1944	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2564	2368	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	30
PID 2368 wrote to memory of 2564	2368	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	30
PID 2368 wrote to memory of 2564	2368	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	30
PID 2368 wrote to memory of 2564	2368	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	30
PID 2368 wrote to memory of 2564	2368	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	30
PID 2368 wrote to memory of 2564	2368	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	30
PID 2564 wrote to memory of 1936	2564	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	31
PID 2564 wrote to memory of 1936	2564	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	31
PID 2564 wrote to memory of 1936	2564	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	31
PID 2564 wrote to memory of 1936	2564	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	31
PID 1936 wrote to memory of 2492	1936	omsecor.exe	32
PID 1936 wrote to memory of 2492	1936	omsecor.exe	32
PID 1936 wrote to memory of 2492	1936	omsecor.exe	32
PID 1936 wrote to memory of 2492	1936	omsecor.exe	32
PID 1936 wrote to memory of 2492	1936	omsecor.exe	32
PID 1936 wrote to memory of 2492	1936	omsecor.exe	32
PID 2492 wrote to memory of 1008	2492	omsecor.exe	35
PID 2492 wrote to memory of 1008	2492	omsecor.exe	35
PID 2492 wrote to memory of 1008	2492	omsecor.exe	35
PID 2492 wrote to memory of 1008	2492	omsecor.exe	35
PID 1008 wrote to memory of 660	1008	omsecor.exe	36
PID 1008 wrote to memory of 660	1008	omsecor.exe	36
PID 1008 wrote to memory of 660	1008	omsecor.exe	36
PID 1008 wrote to memory of 660	1008	omsecor.exe	36
PID 1008 wrote to memory of 660	1008	omsecor.exe	36
PID 1008 wrote to memory of 660	1008	omsecor.exe	36
PID 660 wrote to memory of 1944	660	omsecor.exe	37
PID 660 wrote to memory of 1944	660	omsecor.exe	37
PID 660 wrote to memory of 1944	660	omsecor.exe	37
PID 660 wrote to memory of 1944	660	omsecor.exe	37
PID 1944 wrote to memory of 2888	1944	omsecor.exe	38
PID 1944 wrote to memory of 2888	1944	omsecor.exe	38
PID 1944 wrote to memory of 2888	1944	omsecor.exe	38
PID 1944 wrote to memory of 2888	1944	omsecor.exe	38
PID 1944 wrote to memory of 2888	1944	omsecor.exe	38
PID 1944 wrote to memory of 2888	1944	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
"C:\Users\Admin\AppData\Local\Temp\f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
  C:\Users\Admin\AppData\Local\Temp\f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f1ddf165c47aa84cd0c89ade1304e44e

SHA1
30c99619fecaf5f47bb15076085372cd531b2b98

SHA256
21500030b6005e0331bd2db599f5b28266cbe13fe3fabc5e35d0fceeed8a6ae0

SHA512
47c715033ea8c036413af05808069fe377a584ab03bcd9709584c1a57e6992fc86e1e1fda1998684109e447091e2fb7174abb050f8ea6c575014a1823d5291ca

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
29c9679535d25cb0daa90ee8ed7a24e0

SHA1
b641966f8aeda5975b1f46dcb11a38cb47f81c6c

SHA256
dfe53fb9d9be931408c7e79eaeb6b5a8405beac5b328535a77d8a0ede994199e

SHA512
7e162756fcb091d8e42b13e3e11b1db54727e44a6234fa780a20be6663751b1a5801c3847c8174aeadb9f15f0fa9cb21314ea36dfefc1ff729aa937b1759e7df

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
b9375b50a04bfd5872b7732277e1d7bf

SHA1
4d635a25b831b8f8f8909f7eb8687b3db1b0839a

SHA256
13c80aba25d733c1d7f8b50e41e5184df67037a76bb58d9521d1867d8f6e0bf2

SHA512
2d242b86d067e26a4afb157d09ca9c0931cfb097eca768aa282cd0c3193a8036b8a993ca4ef65aa508c76c929e08304a6178e7598cd4a9eb8085d2c368d4bfbd

Download Submit
memory/660-69-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1008-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1936-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1936-24-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/1936-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1944-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1944-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2368-1-0x00000000001D0000-0x00000000001F4000-memory.dmp

Filesize
144KB

Download
memory/2368-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2368-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2492-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2492-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2492-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2492-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2492-46-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/2492-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2564-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2888-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2888-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download