neconyd | dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/01/2025, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe
Size

128KB
MD5

73cab011babde57bf8e5e70ac85d2d3d
SHA1

40a2bb1bb24cbc90541cccd9274085e63cc723c7
SHA256

dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1
SHA512

1d218d1f7a7aa9c2ed37bb249cae28a1077d2a86ea58595213d2c9e53b5cee641c24ca3175a3b6ab987eb75ea6605c4633529eb0388e287febcbfc77e3bda298
SSDEEP

1536:8DfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabaa:iiRTe3n8BMAW6J6f1tqF6dngNmaZr3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2880	omsecor.exe
2332	omsecor.exe
2740	omsecor.exe
2380	omsecor.exe
1964	omsecor.exe
396	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2676	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe
2676	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe
2880	omsecor.exe
2332	omsecor.exe
2332	omsecor.exe
2380	omsecor.exe
2380	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 2676	1948	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe	30
PID 2880 set thread context of 2332	2880	omsecor.exe	32
PID 2740 set thread context of 2380	2740	omsecor.exe	36
PID 1964 set thread context of 396	1964	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2676	1948	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe	30
PID 1948 wrote to memory of 2676	1948	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe	30
PID 1948 wrote to memory of 2676	1948	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe	30
PID 1948 wrote to memory of 2676	1948	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe	30
PID 1948 wrote to memory of 2676	1948	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe	30
PID 1948 wrote to memory of 2676	1948	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe	30
PID 2676 wrote to memory of 2880	2676	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe	31
PID 2676 wrote to memory of 2880	2676	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe	31
PID 2676 wrote to memory of 2880	2676	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe	31
PID 2676 wrote to memory of 2880	2676	dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe	31
PID 2880 wrote to memory of 2332	2880	omsecor.exe	32
PID 2880 wrote to memory of 2332	2880	omsecor.exe	32
PID 2880 wrote to memory of 2332	2880	omsecor.exe	32
PID 2880 wrote to memory of 2332	2880	omsecor.exe	32
PID 2880 wrote to memory of 2332	2880	omsecor.exe	32
PID 2880 wrote to memory of 2332	2880	omsecor.exe	32
PID 2332 wrote to memory of 2740	2332	omsecor.exe	35
PID 2332 wrote to memory of 2740	2332	omsecor.exe	35
PID 2332 wrote to memory of 2740	2332	omsecor.exe	35
PID 2332 wrote to memory of 2740	2332	omsecor.exe	35
PID 2740 wrote to memory of 2380	2740	omsecor.exe	36
PID 2740 wrote to memory of 2380	2740	omsecor.exe	36
PID 2740 wrote to memory of 2380	2740	omsecor.exe	36
PID 2740 wrote to memory of 2380	2740	omsecor.exe	36
PID 2740 wrote to memory of 2380	2740	omsecor.exe	36
PID 2740 wrote to memory of 2380	2740	omsecor.exe	36
PID 2380 wrote to memory of 1964	2380	omsecor.exe	37
PID 2380 wrote to memory of 1964	2380	omsecor.exe	37
PID 2380 wrote to memory of 1964	2380	omsecor.exe	37
PID 2380 wrote to memory of 1964	2380	omsecor.exe	37
PID 1964 wrote to memory of 396	1964	omsecor.exe	38
PID 1964 wrote to memory of 396	1964	omsecor.exe	38
PID 1964 wrote to memory of 396	1964	omsecor.exe	38
PID 1964 wrote to memory of 396	1964	omsecor.exe	38
PID 1964 wrote to memory of 396	1964	omsecor.exe	38
PID 1964 wrote to memory of 396	1964	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe
"C:\Users\Admin\AppData\Local\Temp\dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe
  C:\Users\Admin\AppData\Local\Temp\dc42a74163cf464f200edf88465381a04341c293548c3621c9c88c911ea90bb1.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
8bebe03baadea6680894f8ae923efab7

SHA1
531b18466a24dd67c12b3b54b063f034737c1117

SHA256
21454e1db2a9f1cbd77942d79602e2a2a779b36922dead1ed29e2021c8618ce0

SHA512
49ebfdf2cc9cc2a0bb3ef2babf2360986abb69c089111cc2869cc3efafc494f1ef0f9c0373ee9c50d2d58edb720a54a41db622d4d1a652fbf549a02dc44b49a8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
4eb577f86e5104335dcaaa4b6c501787

SHA1
097234f5e1cb350bec403286e395ed68a5f46e7a

SHA256
ee2a2cb6ff9fbc37d29ea9b3dfcd595ac9b6f569a596e529c1a430a6357d86a1

SHA512
4a3576f3354fc93cd6535ac33add4438e7de1ba2b82b990aa5ef43465ecd601022807707b8a05e05edf61117bd6d07ec7ab7a64c8abf23706ef440c6d3db4573

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
67781e16436ffe6a518e45a2d53098df

SHA1
a997a363672f073f43a098f7edb4a5a2f7e749b9

SHA256
38ca434e476510dcb94877a5ae9a006fa6b6a03ef1aec901a2013e0c50d1a27f

SHA512
8033121b328c0ece3ae96807d2204bffdafcf0e7c0ed8c389e4d5f6657b98e9cd03ef9a953f13c168ea49d41e4c69ecc16885849a1c7fda693ff54979b66d084

Download Submit
memory/396-75-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download