neconyd | 59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
Size

134KB
MD5

19d6483fdba0d0cde976a108c16686c0
SHA1

8e41b2280d7e0f3da59aa307eef8e6369891fe22
SHA256

59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9
SHA512

cfae729899cc26e4063c67ba9c40de794d8f2b66e5fc2adc61f69ffeb753af519eed204c7934009ec3718ded1554c37a438182dda0415b4a1015ba39af788b88
SSDEEP

1536:nDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:DiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2972	omsecor.exe
2852	omsecor.exe
2416	omsecor.exe
1012	omsecor.exe
2268	omsecor.exe
1812	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2380	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
2380	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
2972	omsecor.exe
2852	omsecor.exe
2852	omsecor.exe
1012	omsecor.exe
1012	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 2380	2684	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	30
PID 2972 set thread context of 2852	2972	omsecor.exe	32
PID 2416 set thread context of 1012	2416	omsecor.exe	36
PID 2268 set thread context of 1812	2268	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2380	2684	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	30
PID 2684 wrote to memory of 2380	2684	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	30
PID 2684 wrote to memory of 2380	2684	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	30
PID 2684 wrote to memory of 2380	2684	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	30
PID 2684 wrote to memory of 2380	2684	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	30
PID 2684 wrote to memory of 2380	2684	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	30
PID 2380 wrote to memory of 2972	2380	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	31
PID 2380 wrote to memory of 2972	2380	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	31
PID 2380 wrote to memory of 2972	2380	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	31
PID 2380 wrote to memory of 2972	2380	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	31
PID 2972 wrote to memory of 2852	2972	omsecor.exe	32
PID 2972 wrote to memory of 2852	2972	omsecor.exe	32
PID 2972 wrote to memory of 2852	2972	omsecor.exe	32
PID 2972 wrote to memory of 2852	2972	omsecor.exe	32
PID 2972 wrote to memory of 2852	2972	omsecor.exe	32
PID 2972 wrote to memory of 2852	2972	omsecor.exe	32
PID 2852 wrote to memory of 2416	2852	omsecor.exe	35
PID 2852 wrote to memory of 2416	2852	omsecor.exe	35
PID 2852 wrote to memory of 2416	2852	omsecor.exe	35
PID 2852 wrote to memory of 2416	2852	omsecor.exe	35
PID 2416 wrote to memory of 1012	2416	omsecor.exe	36
PID 2416 wrote to memory of 1012	2416	omsecor.exe	36
PID 2416 wrote to memory of 1012	2416	omsecor.exe	36
PID 2416 wrote to memory of 1012	2416	omsecor.exe	36
PID 2416 wrote to memory of 1012	2416	omsecor.exe	36
PID 2416 wrote to memory of 1012	2416	omsecor.exe	36
PID 1012 wrote to memory of 2268	1012	omsecor.exe	37
PID 1012 wrote to memory of 2268	1012	omsecor.exe	37
PID 1012 wrote to memory of 2268	1012	omsecor.exe	37
PID 1012 wrote to memory of 2268	1012	omsecor.exe	37
PID 2268 wrote to memory of 1812	2268	omsecor.exe	38
PID 2268 wrote to memory of 1812	2268	omsecor.exe	38
PID 2268 wrote to memory of 1812	2268	omsecor.exe	38
PID 2268 wrote to memory of 1812	2268	omsecor.exe	38
PID 2268 wrote to memory of 1812	2268	omsecor.exe	38
PID 2268 wrote to memory of 1812	2268	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
"C:\Users\Admin\AppData\Local\Temp\59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
  C:\Users\Admin\AppData\Local\Temp\59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
8d7ae5d120a4332c684ddd3a5b81b29b

SHA1
11e313aafbdf5aae1ed7c99bd0289ba5dab37bac

SHA256
38c38ba02edfe751951897cfbee225eda9b3b92dfd2fc9763d90a6dc910b118f

SHA512
87388bd296042bf2e2607f39cfd357692b9d7957f5dd7b50fdb07d31aad3a16f46145a0b7f9785ea757b6836084f3c40ad73220d7c061d09b6d1608748a72c58

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
4fd2837491d37f32121d63aab9cd1637

SHA1
05f3f21bc1793a97a9b2ff542b3b368044c21fbc

SHA256
c79111ffa150ae20b8ab0ad8646bc82d7dd9a91e472b9673e36e56c4c4a05c83

SHA512
ec0304b5fc835f7166e6aed3783cc1dd0c6a172f72860ea7ca3ee08677b0460af64fe61988d19017be5a1b30b9f430bf8ccf223b5b22e09287b00ccfd93b5ada

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
88a8f39ef182d73b717063173a7ae86e

SHA1
51fb36e81b87aa3f9850c83969b5590d0b838f8c

SHA256
ce45005ca8b9e426bb33a8cd85d7654502fcf6e21401ec36be885d11c8a86996

SHA512
9c1742a47a00b5c976d423234e70e2dee9032a22ebad22dfe1b247b9905fdc487a1e36f1ff193c38b18c528bc02abfecaa11dc61822469e77569a77836799db4

Download Submit
memory/1012-68-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1812-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2268-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2268-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2380-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2380-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2380-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2380-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2416-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2684-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2684-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2852-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-45-0x00000000002E0000-0x0000000000304000-memory.dmp

Filesize
144KB

Download
memory/2852-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2972-23-0x0000000000270000-0x0000000000294000-memory.dmp

Filesize
144KB

Download
memory/2972-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download