neconyd | c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfe

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
Size

96KB
MD5

eba5577bdcc8429e4fc573ed479ca6e0
SHA1

2af7c176d2d26d5bd7b68f6454798c500d502db1
SHA256

c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfe
SHA512

0c9e5399d2d88770f38f0078581b534e89ca57a67639dfe1d89104a94333b3f59e39af23bd8323fc570cbb6337b92107cc6aa8402c3e4b69445222ce9d7a80bc
SSDEEP

1536:hnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:hGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2972	omsecor.exe
2840	omsecor.exe
2068	omsecor.exe
1012	omsecor.exe
2372	omsecor.exe
1988	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2704	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
2704	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
2972	omsecor.exe
2840	omsecor.exe
2840	omsecor.exe
1012	omsecor.exe
1012	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2244 set thread context of 2704	2244	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	30
PID 2972 set thread context of 2840	2972	omsecor.exe	32
PID 2068 set thread context of 1012	2068	omsecor.exe	36
PID 2372 set thread context of 1988	2372	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2704	2244	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	30
PID 2244 wrote to memory of 2704	2244	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	30
PID 2244 wrote to memory of 2704	2244	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	30
PID 2244 wrote to memory of 2704	2244	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	30
PID 2244 wrote to memory of 2704	2244	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	30
PID 2244 wrote to memory of 2704	2244	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	30
PID 2704 wrote to memory of 2972	2704	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	31
PID 2704 wrote to memory of 2972	2704	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	31
PID 2704 wrote to memory of 2972	2704	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	31
PID 2704 wrote to memory of 2972	2704	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	31
PID 2972 wrote to memory of 2840	2972	omsecor.exe	32
PID 2972 wrote to memory of 2840	2972	omsecor.exe	32
PID 2972 wrote to memory of 2840	2972	omsecor.exe	32
PID 2972 wrote to memory of 2840	2972	omsecor.exe	32
PID 2972 wrote to memory of 2840	2972	omsecor.exe	32
PID 2972 wrote to memory of 2840	2972	omsecor.exe	32
PID 2840 wrote to memory of 2068	2840	omsecor.exe	35
PID 2840 wrote to memory of 2068	2840	omsecor.exe	35
PID 2840 wrote to memory of 2068	2840	omsecor.exe	35
PID 2840 wrote to memory of 2068	2840	omsecor.exe	35
PID 2068 wrote to memory of 1012	2068	omsecor.exe	36
PID 2068 wrote to memory of 1012	2068	omsecor.exe	36
PID 2068 wrote to memory of 1012	2068	omsecor.exe	36
PID 2068 wrote to memory of 1012	2068	omsecor.exe	36
PID 2068 wrote to memory of 1012	2068	omsecor.exe	36
PID 2068 wrote to memory of 1012	2068	omsecor.exe	36
PID 1012 wrote to memory of 2372	1012	omsecor.exe	37
PID 1012 wrote to memory of 2372	1012	omsecor.exe	37
PID 1012 wrote to memory of 2372	1012	omsecor.exe	37
PID 1012 wrote to memory of 2372	1012	omsecor.exe	37
PID 2372 wrote to memory of 1988	2372	omsecor.exe	38
PID 2372 wrote to memory of 1988	2372	omsecor.exe	38
PID 2372 wrote to memory of 1988	2372	omsecor.exe	38
PID 2372 wrote to memory of 1988	2372	omsecor.exe	38
PID 2372 wrote to memory of 1988	2372	omsecor.exe	38
PID 2372 wrote to memory of 1988	2372	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
"C:\Users\Admin\AppData\Local\Temp\c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
  C:\Users\Admin\AppData\Local\Temp\c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
96f5b898b5f386c7a78bfbc2878dcfbb

SHA1
b26cc5dfdc230fb3c686d72d782e452e76e0e9f4

SHA256
2dcae749724696582f0cc90fec09f6aab225e739a170e4728b5f3fd406447f39

SHA512
a317a9509a6b215836812ef498d4ffbab0490ed24198c2a9edf8fa059000606f5778c59819efd593d81457ecf61deaa65fb744130b9ddb209ff3b64fd3a3bbf0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7925a88e71e083067ec4456052f639c8

SHA1
0285bd31849e901fe47067661121af834b77a057

SHA256
1bdfd1ba9e7c6d7662752d8b19aea4c949de07240cc18ebcb5df1d2a494ccdd8

SHA512
5816d9aedd8fb3f0eb7746f6bb5d0a07e97e6e176e0ab920cbade7401588a381d290a04edef9e5ec3cc43effb932cfaeaa3021470f32bb406e88a176a4c47fda

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2e949ecf42d15996d53eefdcea900c9c

SHA1
3d0f43666f5387135700512bb46738b1b03cf82c

SHA256
f8488c88d93622ea3fcd1ec03a06029451795c3b26d6d543bc4c342ab2b5bab5

SHA512
5a52b8145881ee2e224fb311c5952e06b4643f7ab286e7541e155a1a8bcc88f311a3497df3100b068bca355a46aef901f76ffd82cb5f9115de5b287944230214

Download Submit
memory/1012-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1988-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2068-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2244-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2244-2-0x0000000000260000-0x0000000000283000-memory.dmp

Filesize
140KB

Download
memory/2244-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2704-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-55-0x0000000000330000-0x0000000000353000-memory.dmp

Filesize
140KB

Download
memory/2840-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-47-0x0000000000330000-0x0000000000353000-memory.dmp

Filesize
140KB

Download
memory/2840-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2972-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download