neconyd | f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
Size

96KB
MD5

40cf1e628a5f14faf8c6c86e3f115e70
SHA1

01311d9bf7b7c4488c0e077a18574802f6cbba42
SHA256

f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81
SHA512

b981edc39123459dc1a240b6bd5958e917f6f1d0f943adb7bd051fec0028369d31345983248ce2d3a3d05ea943bc994cebb4dad7afa028f1fca4cb4209f24011
SSDEEP

1536:knAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:kGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3032	omsecor.exe
2496	omsecor.exe
484	omsecor.exe
2228	omsecor.exe
2204	omsecor.exe
2380	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2840	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
2840	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
3032	omsecor.exe
2496	omsecor.exe
2496	omsecor.exe
2228	omsecor.exe
2228	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 2840	2788	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	31
PID 3032 set thread context of 2496	3032	omsecor.exe	33
PID 484 set thread context of 2228	484	omsecor.exe	37
PID 2204 set thread context of 2380	2204	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2840	2788	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	31
PID 2788 wrote to memory of 2840	2788	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	31
PID 2788 wrote to memory of 2840	2788	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	31
PID 2788 wrote to memory of 2840	2788	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	31
PID 2788 wrote to memory of 2840	2788	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	31
PID 2788 wrote to memory of 2840	2788	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	31
PID 2840 wrote to memory of 3032	2840	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	32
PID 2840 wrote to memory of 3032	2840	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	32
PID 2840 wrote to memory of 3032	2840	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	32
PID 2840 wrote to memory of 3032	2840	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	32
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 2496 wrote to memory of 484	2496	omsecor.exe	36
PID 2496 wrote to memory of 484	2496	omsecor.exe	36
PID 2496 wrote to memory of 484	2496	omsecor.exe	36
PID 2496 wrote to memory of 484	2496	omsecor.exe	36
PID 484 wrote to memory of 2228	484	omsecor.exe	37
PID 484 wrote to memory of 2228	484	omsecor.exe	37
PID 484 wrote to memory of 2228	484	omsecor.exe	37
PID 484 wrote to memory of 2228	484	omsecor.exe	37
PID 484 wrote to memory of 2228	484	omsecor.exe	37
PID 484 wrote to memory of 2228	484	omsecor.exe	37
PID 2228 wrote to memory of 2204	2228	omsecor.exe	38
PID 2228 wrote to memory of 2204	2228	omsecor.exe	38
PID 2228 wrote to memory of 2204	2228	omsecor.exe	38
PID 2228 wrote to memory of 2204	2228	omsecor.exe	38
PID 2204 wrote to memory of 2380	2204	omsecor.exe	39
PID 2204 wrote to memory of 2380	2204	omsecor.exe	39
PID 2204 wrote to memory of 2380	2204	omsecor.exe	39
PID 2204 wrote to memory of 2380	2204	omsecor.exe	39
PID 2204 wrote to memory of 2380	2204	omsecor.exe	39
PID 2204 wrote to memory of 2380	2204	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
"C:\Users\Admin\AppData\Local\Temp\f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
  C:\Users\Admin\AppData\Local\Temp\f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:484
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
36f9f0e54b0ed02ddce511ba0be93c13

SHA1
b30ec2c853fab55792883a43c6320fb2531a256c

SHA256
21d567af5894cf4e05355776ff97fa4f5d555181c52bb16778f4fce7d2d1e0f2

SHA512
f426247e675d73ec25ca3ce651f089c1600983434290522968b0c12232c48fa7c11c010f5e692d713ca0f678a5c97f6005da00219bf28bc9be3f95ba0513baf1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ca1b40822b297651ae97aeae80924775

SHA1
616ce8d603a87972d637005a82c84822bded955a

SHA256
f2f379ba1225d1486e59a685250d7067787418940556a3b6ca355a6ebba4f403

SHA512
3cffa43e4c1520fa4d87f269848a7e56fb048899c2e4b514949447bb24cf0f354dbde923a3ffa2274191074f12167e40b5fab01d212b9c2769664d2a18de4296

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d7b6ab7de4177e464ab195bb460457d8

SHA1
ef02cc36732f4fda9c2d4a2483d9392084e9341f

SHA256
67a16d114d676b20ec27d8ff44fe12af14f69b0b6b6eeb839f638174bce25ef0

SHA512
84cdfd2c04355be1fba76cc23e92d1953888e3a787ec812e702ed6718a4892933f28b8de5e04d34631ecbb8b7aec6de5aaf0d6f130ad9ead990571929fc3209c

Download Submit
memory/484-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/484-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2204-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2204-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2228-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2380-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-47-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2496-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2788-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2788-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3032-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3032-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/3032-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download