neconyd | 7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe
Size

134KB
MD5

f3236833d3d417f40dd700787185aab0
SHA1

e684ee297a24a73109418bca4c6e97e40ab0d0c3
SHA256

7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97
SHA512

4e4303106ed847d1f34da5b58d63d83bc75160a589365ce975c2cfa834d7d792b42b1e9d39f6772933fb4cf00a26ee71e8c7faf964b3270cc726a064079b88d6
SSDEEP

1536:zDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi9:/iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2440	omsecor.exe
2892	omsecor.exe
2368	omsecor.exe
2144	omsecor.exe
1360	omsecor.exe
1696	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2496	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe
2496	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe
2440	omsecor.exe
2892	omsecor.exe
2892	omsecor.exe
2144	omsecor.exe
2144	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2496	3040	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe	30
PID 2440 set thread context of 2892	2440	omsecor.exe	32
PID 2368 set thread context of 2144	2368	omsecor.exe	35
PID 1360 set thread context of 1696	1360	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2496	3040	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe	30
PID 3040 wrote to memory of 2496	3040	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe	30
PID 3040 wrote to memory of 2496	3040	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe	30
PID 3040 wrote to memory of 2496	3040	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe	30
PID 3040 wrote to memory of 2496	3040	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe	30
PID 3040 wrote to memory of 2496	3040	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe	30
PID 2496 wrote to memory of 2440	2496	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe	31
PID 2496 wrote to memory of 2440	2496	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe	31
PID 2496 wrote to memory of 2440	2496	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe	31
PID 2496 wrote to memory of 2440	2496	7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe	31
PID 2440 wrote to memory of 2892	2440	omsecor.exe	32
PID 2440 wrote to memory of 2892	2440	omsecor.exe	32
PID 2440 wrote to memory of 2892	2440	omsecor.exe	32
PID 2440 wrote to memory of 2892	2440	omsecor.exe	32
PID 2440 wrote to memory of 2892	2440	omsecor.exe	32
PID 2440 wrote to memory of 2892	2440	omsecor.exe	32
PID 2892 wrote to memory of 2368	2892	omsecor.exe	34
PID 2892 wrote to memory of 2368	2892	omsecor.exe	34
PID 2892 wrote to memory of 2368	2892	omsecor.exe	34
PID 2892 wrote to memory of 2368	2892	omsecor.exe	34
PID 2368 wrote to memory of 2144	2368	omsecor.exe	35
PID 2368 wrote to memory of 2144	2368	omsecor.exe	35
PID 2368 wrote to memory of 2144	2368	omsecor.exe	35
PID 2368 wrote to memory of 2144	2368	omsecor.exe	35
PID 2368 wrote to memory of 2144	2368	omsecor.exe	35
PID 2368 wrote to memory of 2144	2368	omsecor.exe	35
PID 2144 wrote to memory of 1360	2144	omsecor.exe	36
PID 2144 wrote to memory of 1360	2144	omsecor.exe	36
PID 2144 wrote to memory of 1360	2144	omsecor.exe	36
PID 2144 wrote to memory of 1360	2144	omsecor.exe	36
PID 1360 wrote to memory of 1696	1360	omsecor.exe	37
PID 1360 wrote to memory of 1696	1360	omsecor.exe	37
PID 1360 wrote to memory of 1696	1360	omsecor.exe	37
PID 1360 wrote to memory of 1696	1360	omsecor.exe	37
PID 1360 wrote to memory of 1696	1360	omsecor.exe	37
PID 1360 wrote to memory of 1696	1360	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe
"C:\Users\Admin\AppData\Local\Temp\7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe
  C:\Users\Admin\AppData\Local\Temp\7591c03af22b1830f46fa67da59a16c6977a9bad8637732fa49d551b6690ba97N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
79c07d52b61cf79ccb5609b6eeee28e4

SHA1
4b703c0e789e2098844bd0b209511e5cf0fe26b4

SHA256
01c70992e58e97fad6a93ba2321d018132a7bc973cecfcefcd5692d9cf644a4e

SHA512
b8a0490a28611c2aca5e29d8a52adf451dfacf30a177629b0503586ac830e0ce9f8d000e1cb5f02d9bc8bea03e9a0d3fbef975ab80f9dc4a17f6811163c7795b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
377101293f2987943fe0f92b020cb0c8

SHA1
b31971448614b4fc4339719e4ca5e55d07649763

SHA256
a284a85ea8d8e7da4849fcbbb3013f8340d7ac7bdde63bef9b560afbae80ea50

SHA512
7bd5ed9c8997c17ff6cb9cbc3d19eb520033fd32838a70daeb42fc8e72c5300786176dc34aebb8a5d8e2cbfbc329fb791dea527dc81a0c23431ad109221624bf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
da295406f0bed68c06d1a62d6e08b4c1

SHA1
c75d1830a3aeedcc94f5785bbaf0110fbffb232f

SHA256
8b6b9f88a0955d5530a54945b37f998c2d0a6250c78ac6fb91602d33d48ff831

SHA512
8c447e0daf7c045d2fe6b981aee806ede1937823c64fe148ae36d79dbfdc8134ac1ee51a409cf48312c848ea4e196412417d551b53cca3321cf86c64387faea7

Download Submit
memory/1360-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1360-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1696-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-75-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2144-76-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2368-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2440-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2440-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2496-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-46-0x0000000002900000-0x0000000002924000-memory.dmp

Filesize
144KB

Download
memory/2892-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3040-1-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/3040-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3040-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download