neconyd | 97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
Size

96KB
MD5

ad84983cf108388009030120e07e2000
SHA1

d058d298c2ee9cbe89480bc29e4da3db3db5505b
SHA256

97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71
SHA512

7f149dff2bb6a7168f47113bb55a360a66d8373766962def2a6fd7021c7044307303afdaab96d479bb068497bccb486a9b6fbaf95d59b07aa20fc1d13a9f47b4
SSDEEP

1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:EGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2672	omsecor.exe
2836	omsecor.exe
1676	omsecor.exe
2516	omsecor.exe
1208	omsecor.exe
620	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2760	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
2760	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
2672	omsecor.exe
2836	omsecor.exe
2836	omsecor.exe
2516	omsecor.exe
2516	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2760	2676	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	30
PID 2672 set thread context of 2836	2672	omsecor.exe	32
PID 1676 set thread context of 2516	1676	omsecor.exe	35
PID 1208 set thread context of 620	1208	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2760	2676	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	30
PID 2676 wrote to memory of 2760	2676	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	30
PID 2676 wrote to memory of 2760	2676	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	30
PID 2676 wrote to memory of 2760	2676	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	30
PID 2676 wrote to memory of 2760	2676	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	30
PID 2676 wrote to memory of 2760	2676	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	30
PID 2760 wrote to memory of 2672	2760	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	31
PID 2760 wrote to memory of 2672	2760	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	31
PID 2760 wrote to memory of 2672	2760	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	31
PID 2760 wrote to memory of 2672	2760	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	31
PID 2672 wrote to memory of 2836	2672	omsecor.exe	32
PID 2672 wrote to memory of 2836	2672	omsecor.exe	32
PID 2672 wrote to memory of 2836	2672	omsecor.exe	32
PID 2672 wrote to memory of 2836	2672	omsecor.exe	32
PID 2672 wrote to memory of 2836	2672	omsecor.exe	32
PID 2672 wrote to memory of 2836	2672	omsecor.exe	32
PID 2836 wrote to memory of 1676	2836	omsecor.exe	34
PID 2836 wrote to memory of 1676	2836	omsecor.exe	34
PID 2836 wrote to memory of 1676	2836	omsecor.exe	34
PID 2836 wrote to memory of 1676	2836	omsecor.exe	34
PID 1676 wrote to memory of 2516	1676	omsecor.exe	35
PID 1676 wrote to memory of 2516	1676	omsecor.exe	35
PID 1676 wrote to memory of 2516	1676	omsecor.exe	35
PID 1676 wrote to memory of 2516	1676	omsecor.exe	35
PID 1676 wrote to memory of 2516	1676	omsecor.exe	35
PID 1676 wrote to memory of 2516	1676	omsecor.exe	35
PID 2516 wrote to memory of 1208	2516	omsecor.exe	36
PID 2516 wrote to memory of 1208	2516	omsecor.exe	36
PID 2516 wrote to memory of 1208	2516	omsecor.exe	36
PID 2516 wrote to memory of 1208	2516	omsecor.exe	36
PID 1208 wrote to memory of 620	1208	omsecor.exe	37
PID 1208 wrote to memory of 620	1208	omsecor.exe	37
PID 1208 wrote to memory of 620	1208	omsecor.exe	37
PID 1208 wrote to memory of 620	1208	omsecor.exe	37
PID 1208 wrote to memory of 620	1208	omsecor.exe	37
PID 1208 wrote to memory of 620	1208	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
"C:\Users\Admin\AppData\Local\Temp\97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
  C:\Users\Admin\AppData\Local\Temp\97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
2dab81093b8caf982212b87870d78c4f

SHA1
8d03411c8e2263e0ea2dcceb244312d7b663b84e

SHA256
31eb32fa676922f5a77337a7c9cb3809edad11f50c84b5682cee31ce93c64169

SHA512
59c1bab454c984fe450997c7c01c9f7b0424b0e728f469dd0ccfa1e1fd9fe6d6504b33790311057563b298433c542e77684090f4216be621427df362020ff0cd

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
27958aa968a6d08c5f64d75fe08933d3

SHA1
c8c4d2931f3900dcd19f184c7a28b0bcd65b7d8d

SHA256
4455e90cc4130d04f3e578bf9071e01255613b5c257e8bcabd43722367193534

SHA512
d38e98a8a27e3c22497faec19c85f6054568222b6a736870bd6828bb15925fd19ca52337ae560f212b48b4ab67e6ba74dfdae71874dd5fec8205010122b88a0f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
0ed3155f69cb4779f15e6aab01c49e82

SHA1
fdb87093885f170a5e02f824a7127c5ab9d557c7

SHA256
d37eace891071a2980f8d4410722d2b4ee33fbbb4aee1c9fa47d9e0f00ce7165

SHA512
b9dbfee7d93a62a321980c1640385d61b662e5d9b9b7bbcc9c54cf6744f6f822dfcdf4937dc3633a0fbc4215dc2283afc852a28f4e659c5f1a74e5216d78a1ee

Download Submit
memory/620-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1208-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1208-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1676-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2672-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2672-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2676-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2676-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2760-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-14-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2760-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-47-0x0000000002320000-0x0000000002343000-memory.dmp

Filesize
140KB

Download
memory/2836-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download