neconyd | 1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
Size

134KB
MD5

467d4466e9cfc80448b78650981e0262
SHA1

00589707e788664d4743ea981e65833495d016c1
SHA256

1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264
SHA512

f8cfe8a3a1416bc02e2e907f1c83e795b54c1bcb5a3f53d65ea1ac9c28772c1ec42d4a904b748eec9aaba299261cf0b7ae7943d18a7dcd19a2d0d00bbabc9835
SSDEEP

1536:nDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiX:DiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1848	omsecor.exe
1820	omsecor.exe
1988	omsecor.exe
764	omsecor.exe
1996	omsecor.exe
2116	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1272	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
1272	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
1848	omsecor.exe
1820	omsecor.exe
1820	omsecor.exe
764	omsecor.exe
764	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 1272	2972	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	30
PID 1848 set thread context of 1820	1848	omsecor.exe	32
PID 1988 set thread context of 764	1988	omsecor.exe	36
PID 1996 set thread context of 2116	1996	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1272	2972	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	30
PID 2972 wrote to memory of 1272	2972	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	30
PID 2972 wrote to memory of 1272	2972	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	30
PID 2972 wrote to memory of 1272	2972	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	30
PID 2972 wrote to memory of 1272	2972	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	30
PID 2972 wrote to memory of 1272	2972	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	30
PID 1272 wrote to memory of 1848	1272	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	31
PID 1272 wrote to memory of 1848	1272	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	31
PID 1272 wrote to memory of 1848	1272	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	31
PID 1272 wrote to memory of 1848	1272	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	31
PID 1848 wrote to memory of 1820	1848	omsecor.exe	32
PID 1848 wrote to memory of 1820	1848	omsecor.exe	32
PID 1848 wrote to memory of 1820	1848	omsecor.exe	32
PID 1848 wrote to memory of 1820	1848	omsecor.exe	32
PID 1848 wrote to memory of 1820	1848	omsecor.exe	32
PID 1848 wrote to memory of 1820	1848	omsecor.exe	32
PID 1820 wrote to memory of 1988	1820	omsecor.exe	35
PID 1820 wrote to memory of 1988	1820	omsecor.exe	35
PID 1820 wrote to memory of 1988	1820	omsecor.exe	35
PID 1820 wrote to memory of 1988	1820	omsecor.exe	35
PID 1988 wrote to memory of 764	1988	omsecor.exe	36
PID 1988 wrote to memory of 764	1988	omsecor.exe	36
PID 1988 wrote to memory of 764	1988	omsecor.exe	36
PID 1988 wrote to memory of 764	1988	omsecor.exe	36
PID 1988 wrote to memory of 764	1988	omsecor.exe	36
PID 1988 wrote to memory of 764	1988	omsecor.exe	36
PID 764 wrote to memory of 1996	764	omsecor.exe	37
PID 764 wrote to memory of 1996	764	omsecor.exe	37
PID 764 wrote to memory of 1996	764	omsecor.exe	37
PID 764 wrote to memory of 1996	764	omsecor.exe	37
PID 1996 wrote to memory of 2116	1996	omsecor.exe	38
PID 1996 wrote to memory of 2116	1996	omsecor.exe	38
PID 1996 wrote to memory of 2116	1996	omsecor.exe	38
PID 1996 wrote to memory of 2116	1996	omsecor.exe	38
PID 1996 wrote to memory of 2116	1996	omsecor.exe	38
PID 1996 wrote to memory of 2116	1996	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
"C:\Users\Admin\AppData\Local\Temp\1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
  C:\Users\Admin\AppData\Local\Temp\1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
3e5d980c5dc80db99ab07b78dc81964d

SHA1
7b7ea3a2e6ba10c044611894917955f98dcdda86

SHA256
0e7d2efc4344a66b25497dd31aa25004020961808d235a3db63ddafa4fca0fdf

SHA512
34eb03422af95e63c3c86b04e8580c23767d975b1056e2946b069674aaa6917de9080146535d44558aefaf7c159f559a7c171814bb6eff68678a4d6b39550ca4

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
51b6c073c1e21d96afb18aa45344801d

SHA1
6145281feeac41cf38cf337b058dbff474f28975

SHA256
ec8a7d140c55a2920cfbe01bfe544f90be4f15811177f7262bc3af4898fd174f

SHA512
15ebd40e95679a8bf729ce26edc18651073561c253c113f9e48caed7afd3c2efca281b0258e88710f6d7362a2ff0f3e29d965b42d67b77b9dfe5c5c0a2797bb0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
6abb6d87971155ce29c6f9d7b2005ffb

SHA1
2c5bf674d0941ae5af17b2b864d1cd598f9b9be8

SHA256
dac31f1d6971ef1f3ffad753c937564aba97dc670d80337e238818386e70648b

SHA512
48af6267e075e855d3c1ccbd43bb93b25e05e9a6ca1fd8fecd3b80efce1302a61131f1480ecd20615a0aaa28c4d73b6e969cf5330afacf6d71a3a3df88081190

Download Submit
memory/764-70-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1272-21-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1272-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1272-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1272-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1272-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1272-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-47-0x0000000000320000-0x0000000000344000-memory.dmp

Filesize
144KB

Download
memory/1820-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1848-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1848-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1988-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1988-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1996-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2116-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2972-6-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2972-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download