neconyd | ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
Size

134KB
MD5

1f5b93590a82461a3c309756069c7740
SHA1

a4ac2ada6df4bed79688705f0eb452a4bef57fcd
SHA256

ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11
SHA512

99c766ad16e19b9ce1757721dc99b089ee74a7e8b5bd752eaa48ab09213611ff983931a22575962474f64447ed4e7c2065cf63f95fa5745ab496037c66e8c2fa
SSDEEP

1536:BDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi9:hiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2156	omsecor.exe
2364	omsecor.exe
2264	omsecor.exe
1044	omsecor.exe
1880	omsecor.exe
2340	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1704	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
1704	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
2156	omsecor.exe
2364	omsecor.exe
2364	omsecor.exe
1044	omsecor.exe
1044	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2052 set thread context of 1704	2052	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	30
PID 2156 set thread context of 2364	2156	omsecor.exe	32
PID 2264 set thread context of 1044	2264	omsecor.exe	36
PID 1880 set thread context of 2340	1880	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1704	2052	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	30
PID 2052 wrote to memory of 1704	2052	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	30
PID 2052 wrote to memory of 1704	2052	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	30
PID 2052 wrote to memory of 1704	2052	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	30
PID 2052 wrote to memory of 1704	2052	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	30
PID 2052 wrote to memory of 1704	2052	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	30
PID 1704 wrote to memory of 2156	1704	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	31
PID 1704 wrote to memory of 2156	1704	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	31
PID 1704 wrote to memory of 2156	1704	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	31
PID 1704 wrote to memory of 2156	1704	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	31
PID 2156 wrote to memory of 2364	2156	omsecor.exe	32
PID 2156 wrote to memory of 2364	2156	omsecor.exe	32
PID 2156 wrote to memory of 2364	2156	omsecor.exe	32
PID 2156 wrote to memory of 2364	2156	omsecor.exe	32
PID 2156 wrote to memory of 2364	2156	omsecor.exe	32
PID 2156 wrote to memory of 2364	2156	omsecor.exe	32
PID 2364 wrote to memory of 2264	2364	omsecor.exe	35
PID 2364 wrote to memory of 2264	2364	omsecor.exe	35
PID 2364 wrote to memory of 2264	2364	omsecor.exe	35
PID 2364 wrote to memory of 2264	2364	omsecor.exe	35
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 2264 wrote to memory of 1044	2264	omsecor.exe	36
PID 1044 wrote to memory of 1880	1044	omsecor.exe	37
PID 1044 wrote to memory of 1880	1044	omsecor.exe	37
PID 1044 wrote to memory of 1880	1044	omsecor.exe	37
PID 1044 wrote to memory of 1880	1044	omsecor.exe	37
PID 1880 wrote to memory of 2340	1880	omsecor.exe	38
PID 1880 wrote to memory of 2340	1880	omsecor.exe	38
PID 1880 wrote to memory of 2340	1880	omsecor.exe	38
PID 1880 wrote to memory of 2340	1880	omsecor.exe	38
PID 1880 wrote to memory of 2340	1880	omsecor.exe	38
PID 1880 wrote to memory of 2340	1880	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
"C:\Users\Admin\AppData\Local\Temp\ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
  C:\Users\Admin\AppData\Local\Temp\ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
ab272e52973f0c2efa4675ff8e12b1c2

SHA1
01ed7323dd44a0cf8ea864aaf83c369a134d61af

SHA256
d728220361efbf8685a2a7c8da8538030e75e2941e042ad46b93d679f19869c5

SHA512
a1b95a0569fbda7d51179ecb613a8f36a7c6a71e6b400d9e2c9e81f90634401ec9f789de067a67dfd7b3c493631b260364b16747923842331af4d9a688e5f072

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
b505b6ba325ea968cec2858c9649754d

SHA1
b00c4a57fd7ce5e489e4c3b701a169b98d963f01

SHA256
9a5ccf8e2497101119954287351e412e356842c5fcdd0b61dba142c22cdfce4f

SHA512
32ffc73f73db781ffb6ccf5b0762bef8f5acc554bda14c5bffeae36b76d3d03dfd836411f242a34fccee1e1ddce46c2279794f412639d5007b9c8f0ff366472a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
999f32b1ea676897aeb296843cca4b6a

SHA1
4163cfd07acd1d1a0095fc02dab6bf7ddb498aec

SHA256
c18bdcc2bab678d63b73d5bca29a19cbfd496c79757061b0155bac4afd82ae62

SHA512
f824dae2c30ce27a7ccc4a3ed49fa79d8a440225a3df606aaac2780bce1cc1937d31632a20ec6ed07aa6e06a667327dfbc918117957e58b2d86565d8ddbdedf9

Download Submit
memory/1044-69-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1704-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1704-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1704-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1704-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1704-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1880-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2052-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2052-1-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2052-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2156-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2156-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2264-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2264-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2340-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-45-0x0000000000320000-0x0000000000344000-memory.dmp

Filesize
144KB

Download
memory/2364-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download