neconyd | c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/01/2025, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe
Size

134KB
MD5

0d00526946b84d34a807a350500ce952
SHA1

6142c3bedab608c18b2b35572541a1047a63abe0
SHA256

c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e
SHA512

8aaa25fbe22a86b589495be5ffedb93640e326e587ebd0c1bd6f066d0ade720306ccde6373bd0ec813990c92cf5ef7f87c809bd749222198f0f1db3eef9cb3f1
SSDEEP

1536:bDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi9:XiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2364	omsecor.exe
2144	omsecor.exe
1060	omsecor.exe
2600	omsecor.exe
1848	omsecor.exe
2216	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1868	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe
1868	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe
2364	omsecor.exe
2144	omsecor.exe
2144	omsecor.exe
2600	omsecor.exe
2600	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1224 set thread context of 1868	1224	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe	31
PID 2364 set thread context of 2144	2364	omsecor.exe	33
PID 1060 set thread context of 2600	1060	omsecor.exe	37
PID 1848 set thread context of 2216	1848	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1868	1224	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe	31
PID 1224 wrote to memory of 1868	1224	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe	31
PID 1224 wrote to memory of 1868	1224	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe	31
PID 1224 wrote to memory of 1868	1224	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe	31
PID 1224 wrote to memory of 1868	1224	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe	31
PID 1224 wrote to memory of 1868	1224	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe	31
PID 1868 wrote to memory of 2364	1868	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe	32
PID 1868 wrote to memory of 2364	1868	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe	32
PID 1868 wrote to memory of 2364	1868	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe	32
PID 1868 wrote to memory of 2364	1868	c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe	32
PID 2364 wrote to memory of 2144	2364	omsecor.exe	33
PID 2364 wrote to memory of 2144	2364	omsecor.exe	33
PID 2364 wrote to memory of 2144	2364	omsecor.exe	33
PID 2364 wrote to memory of 2144	2364	omsecor.exe	33
PID 2364 wrote to memory of 2144	2364	omsecor.exe	33
PID 2364 wrote to memory of 2144	2364	omsecor.exe	33
PID 2144 wrote to memory of 1060	2144	omsecor.exe	36
PID 2144 wrote to memory of 1060	2144	omsecor.exe	36
PID 2144 wrote to memory of 1060	2144	omsecor.exe	36
PID 2144 wrote to memory of 1060	2144	omsecor.exe	36
PID 1060 wrote to memory of 2600	1060	omsecor.exe	37
PID 1060 wrote to memory of 2600	1060	omsecor.exe	37
PID 1060 wrote to memory of 2600	1060	omsecor.exe	37
PID 1060 wrote to memory of 2600	1060	omsecor.exe	37
PID 1060 wrote to memory of 2600	1060	omsecor.exe	37
PID 1060 wrote to memory of 2600	1060	omsecor.exe	37
PID 2600 wrote to memory of 1848	2600	omsecor.exe	38
PID 2600 wrote to memory of 1848	2600	omsecor.exe	38
PID 2600 wrote to memory of 1848	2600	omsecor.exe	38
PID 2600 wrote to memory of 1848	2600	omsecor.exe	38
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39
PID 1848 wrote to memory of 2216	1848	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe
"C:\Users\Admin\AppData\Local\Temp\c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe
  C:\Users\Admin\AppData\Local\Temp\c01b7fba0c779535f8f189195715fbc8f559a81844c572f5c3f01d6062b79c0e.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
26b123b35375434cc474e9100c138a89

SHA1
189a1aca36bba7fbc4e48bcf7d3e35b191c8a145

SHA256
edea49cf3448b574be8d41bf09ef83568ff121705964ab3ed68e943b1b4d3c29

SHA512
e6fef0ed5d39e11c26cd0f95300b2da6795bcaca32335b6ca2107096c741877b90fbd43aac652f67530bff1d78099600e6caf1695e2baedd4315ea7f4ebbac05

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
64ec34649b3e8d308dadbb3e50229d1d

SHA1
0512fe70dff8d27f2817ab29276cad4a41d10141

SHA256
1f6d8724edf621fd325ceb99362ebb523035b79169c2db465a92cca9380aac59

SHA512
a98770c8b59dbe84208ba52eed0f35a5508a65c4cd641a133fa07e9e5a29c09c01adccf08acf853984e26d0906db8e8074030b585c542b19349adb07199c4dfc

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
2948cbca725aeeee27ad32f588dd8f47

SHA1
59875353f5da2e63078c8621b19137ce4c37a253

SHA256
4f66f8866429202fd777ab7778e9934f927fde296fd9ed1626719ef63fdfc713

SHA512
82b7b744db01bfdef635a8ec2aba0c3effdafdeaf2d877fd1c156b3e370b8c99fe1f118e04cd2373426edf616264a057d0f05acccc67ff5f84094143b842b4b8

Download Submit
memory/1060-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1060-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1224-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1224-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1848-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1848-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1868-21-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1868-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1868-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1868-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1868-19-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1868-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1868-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-52-0x0000000000340000-0x0000000000364000-memory.dmp

Filesize
144KB

Download
memory/2144-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-25-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2364-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2600-87-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2600-76-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download