neconyd | 9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe
Size

96KB
MD5

6fba36ee6a4b30872aceb83cb2a4c130
SHA1

24bb0d6e6156e752859729f8961807e75bca7028
SHA256

9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9
SHA512

5a1b0e4e33093138ac222986da291e4a2cf1c29d28b5cd96ccd8fdff3f4011320fcd6015e5200e6823d4999fb34c634f8a15ac1dbb2644356c985dc58e496d77
SSDEEP

1536:gnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:gGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2652	omsecor.exe
2928	omsecor.exe
2684	omsecor.exe
2104	omsecor.exe
1596	omsecor.exe
1748	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2296	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe
2296	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe
2652	omsecor.exe
2928	omsecor.exe
2928	omsecor.exe
2104	omsecor.exe
2104	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 2296	2736	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe	30
PID 2652 set thread context of 2928	2652	omsecor.exe	32
PID 2684 set thread context of 2104	2684	omsecor.exe	35
PID 1596 set thread context of 1748	1596	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2296	2736	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe	30
PID 2736 wrote to memory of 2296	2736	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe	30
PID 2736 wrote to memory of 2296	2736	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe	30
PID 2736 wrote to memory of 2296	2736	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe	30
PID 2736 wrote to memory of 2296	2736	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe	30
PID 2736 wrote to memory of 2296	2736	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe	30
PID 2296 wrote to memory of 2652	2296	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe	31
PID 2296 wrote to memory of 2652	2296	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe	31
PID 2296 wrote to memory of 2652	2296	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe	31
PID 2296 wrote to memory of 2652	2296	9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe	31
PID 2652 wrote to memory of 2928	2652	omsecor.exe	32
PID 2652 wrote to memory of 2928	2652	omsecor.exe	32
PID 2652 wrote to memory of 2928	2652	omsecor.exe	32
PID 2652 wrote to memory of 2928	2652	omsecor.exe	32
PID 2652 wrote to memory of 2928	2652	omsecor.exe	32
PID 2652 wrote to memory of 2928	2652	omsecor.exe	32
PID 2928 wrote to memory of 2684	2928	omsecor.exe	34
PID 2928 wrote to memory of 2684	2928	omsecor.exe	34
PID 2928 wrote to memory of 2684	2928	omsecor.exe	34
PID 2928 wrote to memory of 2684	2928	omsecor.exe	34
PID 2684 wrote to memory of 2104	2684	omsecor.exe	35
PID 2684 wrote to memory of 2104	2684	omsecor.exe	35
PID 2684 wrote to memory of 2104	2684	omsecor.exe	35
PID 2684 wrote to memory of 2104	2684	omsecor.exe	35
PID 2684 wrote to memory of 2104	2684	omsecor.exe	35
PID 2684 wrote to memory of 2104	2684	omsecor.exe	35
PID 2104 wrote to memory of 1596	2104	omsecor.exe	36
PID 2104 wrote to memory of 1596	2104	omsecor.exe	36
PID 2104 wrote to memory of 1596	2104	omsecor.exe	36
PID 2104 wrote to memory of 1596	2104	omsecor.exe	36
PID 1596 wrote to memory of 1748	1596	omsecor.exe	37
PID 1596 wrote to memory of 1748	1596	omsecor.exe	37
PID 1596 wrote to memory of 1748	1596	omsecor.exe	37
PID 1596 wrote to memory of 1748	1596	omsecor.exe	37
PID 1596 wrote to memory of 1748	1596	omsecor.exe	37
PID 1596 wrote to memory of 1748	1596	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe
"C:\Users\Admin\AppData\Local\Temp\9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe
  C:\Users\Admin\AppData\Local\Temp\9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
2fda53bae1a990bd562c2b0fa6abf020

SHA1
010478f5e1b2360977c63ac3b5b8718f0542c6a8

SHA256
156761a4da091b2c24b114d7a918a1509a2f18adbf3ab77e391066b3c2a75d1e

SHA512
94a50e6ea461a2c7fedce66e56a11f9ab9a518a4a9675cc065b554637b05a970c87742582bdff8e1d84c3b92f5eb241f31ff6da9963ef65c946e9eb697b2ece9

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
719c49f71661f5bee1ab4d87289a29dc

SHA1
327e1904bcd3debe845f961f2048a49231bdcf4e

SHA256
516b015988dc5bd7f96a71d6aa9860d19fb646c03bce53e79a9757e356b927e9

SHA512
3ae033fe39066cb2fca623519c08871f6f4ec39404369406f5f1a31e073f22231ca80b6f82a355bc38e1b2b4172d7e1b03a0825cf1c6cb8784bce8cf7f78c545

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f449e94dea3d9693155b202692fcc98e

SHA1
7ccc75caa16c294e7d8ab270d4cd53049600ef97

SHA256
4d8cb44cd5ebf3ba737aa7ec31e894cc7363f41f6a39ac89ced894cb47a16a77

SHA512
4441248b6f7a219214ebead6b898ba2570584b552b28b16ed9f79a9720249e4cfbb2ad1cd70f0a22afbb9ebe1f6a1b92c0dc9baa379f263760bf34cc0c3e2c23

Download Submit
memory/1596-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1596-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1748-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2296-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2652-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2652-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2684-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-1-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2928-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-48-0x0000000002030000-0x0000000002053000-memory.dmp

Filesize
140KB

Download
memory/2928-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download