neconyd | 096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe
Size

96KB
MD5

c261a75f6c9f7a22d29f7d47424c9f1b
SHA1

0023b2369c66b591b01478264bb22e64cd5bb2be
SHA256

096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f
SHA512

9bd15e1b296a26bbbe60472958f0b3b7a8b70dbed81165b99b623d468213888d5bebcd838ed5ccac35feb3e9ecbe8d80a009d98b1fad7c370c02f32f7badfb12
SSDEEP

1536:PnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:PGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2480	omsecor.exe
2892	omsecor.exe
1640	omsecor.exe
460	omsecor.exe
516	omsecor.exe
2408	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2496	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe
2496	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe
2480	omsecor.exe
2892	omsecor.exe
2892	omsecor.exe
460	omsecor.exe
460	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2496	2208	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe	30
PID 2480 set thread context of 2892	2480	omsecor.exe	32
PID 1640 set thread context of 460	1640	omsecor.exe	35
PID 516 set thread context of 2408	516	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2496	2208	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe	30
PID 2208 wrote to memory of 2496	2208	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe	30
PID 2208 wrote to memory of 2496	2208	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe	30
PID 2208 wrote to memory of 2496	2208	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe	30
PID 2208 wrote to memory of 2496	2208	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe	30
PID 2208 wrote to memory of 2496	2208	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe	30
PID 2496 wrote to memory of 2480	2496	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe	31
PID 2496 wrote to memory of 2480	2496	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe	31
PID 2496 wrote to memory of 2480	2496	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe	31
PID 2496 wrote to memory of 2480	2496	096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe	31
PID 2480 wrote to memory of 2892	2480	omsecor.exe	32
PID 2480 wrote to memory of 2892	2480	omsecor.exe	32
PID 2480 wrote to memory of 2892	2480	omsecor.exe	32
PID 2480 wrote to memory of 2892	2480	omsecor.exe	32
PID 2480 wrote to memory of 2892	2480	omsecor.exe	32
PID 2480 wrote to memory of 2892	2480	omsecor.exe	32
PID 2892 wrote to memory of 1640	2892	omsecor.exe	34
PID 2892 wrote to memory of 1640	2892	omsecor.exe	34
PID 2892 wrote to memory of 1640	2892	omsecor.exe	34
PID 2892 wrote to memory of 1640	2892	omsecor.exe	34
PID 1640 wrote to memory of 460	1640	omsecor.exe	35
PID 1640 wrote to memory of 460	1640	omsecor.exe	35
PID 1640 wrote to memory of 460	1640	omsecor.exe	35
PID 1640 wrote to memory of 460	1640	omsecor.exe	35
PID 1640 wrote to memory of 460	1640	omsecor.exe	35
PID 1640 wrote to memory of 460	1640	omsecor.exe	35
PID 460 wrote to memory of 516	460	omsecor.exe	36
PID 460 wrote to memory of 516	460	omsecor.exe	36
PID 460 wrote to memory of 516	460	omsecor.exe	36
PID 460 wrote to memory of 516	460	omsecor.exe	36
PID 516 wrote to memory of 2408	516	omsecor.exe	37
PID 516 wrote to memory of 2408	516	omsecor.exe	37
PID 516 wrote to memory of 2408	516	omsecor.exe	37
PID 516 wrote to memory of 2408	516	omsecor.exe	37
PID 516 wrote to memory of 2408	516	omsecor.exe	37
PID 516 wrote to memory of 2408	516	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe
"C:\Users\Admin\AppData\Local\Temp\096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe
  C:\Users\Admin\AppData\Local\Temp\096fba76be1678c903c6989c1d8005b3accc36d0ab8668f98ed7c5ce161f994f.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3aaaf18fc1ad2a3688abd95952e4454f

SHA1
2d53d87b0433667e774902a0511d626220d7b421

SHA256
1c31a9971a9b29d2ddd1bb88da8e0bece0b39a619e8763ef721a45de4749c384

SHA512
4066d3fbfdea83ac5bea8a00127e22de82a31c9414237465db38258b2df74af7fe65f2b8cba83e50f200b6782f49bfe7efeee7abb523dec4cc8d91e281bf8e62

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
dab90aa322e45c57d85593a361fbbfee

SHA1
2215c750b7041dd1829ba7559f447ffb5ca7fecd

SHA256
29e72d8f952412cda9f2fb196d5d9264c9590e7c07290b54f75bdf614e2a7808

SHA512
84e27f1c182eff078186ffab0234219e4fbbcde3b96a9b6ec9b0e065c309ff123660df6af4daf3da5a059746611f1059e40482ad73eea3914ad884422f5ac507

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c125632c06ea92c275ffb6fa57cf0ea2

SHA1
1a2a2ce1419cc8cdb33c100598466275ee1b5fb8

SHA256
711456033c95c688c954be3c29b09b5ec96481cc8a85a95a9809022171d9729b

SHA512
a6a19e4a231f14c76398737b8a59cda89f9fb220968c34910da40aa9c262130e921f58661dc4933c1aa311bc945a466e93100c5bf5ff11a1bdaa7a625bc45952

Download Submit
memory/516-82-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/516-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1640-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1640-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2208-36-0x0000000001B50000-0x0000000001B73000-memory.dmp

Filesize
140KB

Download
memory/2208-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2208-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2408-95-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-25-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2480-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2480-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2496-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-13-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2892-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-57-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2892-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-49-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/2892-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download