neconyd | ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591

Analysis

max time kernel
115s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
Size

96KB
MD5

3e4c1ce6813953cf9e9f095d431e7a60
SHA1

57fca638667c00b14f0d84dd33e28675e939ecb2
SHA256

ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591
SHA512

af043995dacd855dec144f2a94a950cd3def22a3f0a974de7bedd31a0b9ec7e998a0cc63827735717d6f4e03f3bb2ee0580209e6125fb0ff5e7b03357fd4c2bf
SSDEEP

1536:knAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:kGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2628	omsecor.exe
2876	omsecor.exe
1056	omsecor.exe
2144	omsecor.exe
2536	omsecor.exe
1852	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1028	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
1028	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
2628	omsecor.exe
2876	omsecor.exe
2876	omsecor.exe
2144	omsecor.exe
2144	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1240 set thread context of 1028	1240	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	30
PID 2628 set thread context of 2876	2628	omsecor.exe	32
PID 1056 set thread context of 2144	1056	omsecor.exe	36
PID 2536 set thread context of 1852	2536	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1028	1240	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	30
PID 1240 wrote to memory of 1028	1240	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	30
PID 1240 wrote to memory of 1028	1240	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	30
PID 1240 wrote to memory of 1028	1240	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	30
PID 1240 wrote to memory of 1028	1240	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	30
PID 1240 wrote to memory of 1028	1240	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	30
PID 1028 wrote to memory of 2628	1028	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	31
PID 1028 wrote to memory of 2628	1028	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	31
PID 1028 wrote to memory of 2628	1028	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	31
PID 1028 wrote to memory of 2628	1028	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	31
PID 2628 wrote to memory of 2876	2628	omsecor.exe	32
PID 2628 wrote to memory of 2876	2628	omsecor.exe	32
PID 2628 wrote to memory of 2876	2628	omsecor.exe	32
PID 2628 wrote to memory of 2876	2628	omsecor.exe	32
PID 2628 wrote to memory of 2876	2628	omsecor.exe	32
PID 2628 wrote to memory of 2876	2628	omsecor.exe	32
PID 2876 wrote to memory of 1056	2876	omsecor.exe	35
PID 2876 wrote to memory of 1056	2876	omsecor.exe	35
PID 2876 wrote to memory of 1056	2876	omsecor.exe	35
PID 2876 wrote to memory of 1056	2876	omsecor.exe	35
PID 1056 wrote to memory of 2144	1056	omsecor.exe	36
PID 1056 wrote to memory of 2144	1056	omsecor.exe	36
PID 1056 wrote to memory of 2144	1056	omsecor.exe	36
PID 1056 wrote to memory of 2144	1056	omsecor.exe	36
PID 1056 wrote to memory of 2144	1056	omsecor.exe	36
PID 1056 wrote to memory of 2144	1056	omsecor.exe	36
PID 2144 wrote to memory of 2536	2144	omsecor.exe	37
PID 2144 wrote to memory of 2536	2144	omsecor.exe	37
PID 2144 wrote to memory of 2536	2144	omsecor.exe	37
PID 2144 wrote to memory of 2536	2144	omsecor.exe	37
PID 2536 wrote to memory of 1852	2536	omsecor.exe	38
PID 2536 wrote to memory of 1852	2536	omsecor.exe	38
PID 2536 wrote to memory of 1852	2536	omsecor.exe	38
PID 2536 wrote to memory of 1852	2536	omsecor.exe	38
PID 2536 wrote to memory of 1852	2536	omsecor.exe	38
PID 2536 wrote to memory of 1852	2536	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
"C:\Users\Admin\AppData\Local\Temp\ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
  C:\Users\Admin\AppData\Local\Temp\ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e372a66a78645d8f9fbc33ff43df24c5

SHA1
1d6405b045d38506f07bd467cb52294ce3cdf8a4

SHA256
4b7aec92c38ff9df25e3ebdd581fa01f2b90948c5dff7fe0a9df13f4d7910ce4

SHA512
8cded00cc365bfaccd05e0166b6e0b529b6c65afb32dda48cef80628a13ecd2f3c749130b63db258a06cded0eab1c6d84925a599157d794c485badf3fd6bf89c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
78acf9ba3b3563172634ed03a4e49d64

SHA1
774a5fabec3a876421f3d8b366aa0785d818d156

SHA256
bd2efbbd31534c40c11a591d3c0063543af50d3cc46e447f2783a5625bfada98

SHA512
c23c79bfe0dc1bb939b42a2005ac46c854a55372f853ffce5cae46a09a9b0da7cfcf80d34340790d2e8fecb59a845e822bb35b89c1bf0d5246580b11f8f36b78

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b65a14c57ec5c2953c3894851e0d0cc6

SHA1
666eab8e166e075891eb89d60d57bffd8d88e13b

SHA256
d007b6b5ed8103d3259444b2741e699f5106eafc59a230e10f7f5e2c15fc53b5

SHA512
13d72e42205b1a5c9b44617bb941cbb7978b22220d2a0b95048b2b8bc121360de8a3634be04467c48cd47cf5f7f46049a0dc0f59d05a75b5a7c553bb7e32cc91

Download Submit
memory/1028-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1028-15-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1028-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1056-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1056-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1240-1-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/1240-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1240-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1852-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-75-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2536-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2536-83-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2628-26-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2628-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2628-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2876-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2876-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2876-54-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2876-49-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2876-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2876-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2876-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download