neconyd | 4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
Size

96KB
MD5

6d30139c97061226b75734e12f9c146f
SHA1

a432498b8f76246384be111074ef32d22e116f23
SHA256

4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae
SHA512

feca400a35b991e71b65249c928f9aa9502459a55e1673d9ebc0af047b9a8b7a8909e391dbd2ede25652cd71f4caaed275f2461bc15e489993193a1ea703bbda
SSDEEP

1536:xnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:xGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2996	omsecor.exe
2072	omsecor.exe
2292	omsecor.exe
1248	omsecor.exe
1920	omsecor.exe
2356	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2460	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
2460	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
2996	omsecor.exe
2072	omsecor.exe
2072	omsecor.exe
1248	omsecor.exe
1248	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 2460	2432	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	29
PID 2996 set thread context of 2072	2996	omsecor.exe	31
PID 2292 set thread context of 1248	2292	omsecor.exe	34
PID 1920 set thread context of 2356	1920	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2460	2432	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	29
PID 2432 wrote to memory of 2460	2432	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	29
PID 2432 wrote to memory of 2460	2432	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	29
PID 2432 wrote to memory of 2460	2432	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	29
PID 2432 wrote to memory of 2460	2432	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	29
PID 2432 wrote to memory of 2460	2432	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	29
PID 2460 wrote to memory of 2996	2460	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	30
PID 2460 wrote to memory of 2996	2460	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	30
PID 2460 wrote to memory of 2996	2460	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	30
PID 2460 wrote to memory of 2996	2460	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	30
PID 2996 wrote to memory of 2072	2996	omsecor.exe	31
PID 2996 wrote to memory of 2072	2996	omsecor.exe	31
PID 2996 wrote to memory of 2072	2996	omsecor.exe	31
PID 2996 wrote to memory of 2072	2996	omsecor.exe	31
PID 2996 wrote to memory of 2072	2996	omsecor.exe	31
PID 2996 wrote to memory of 2072	2996	omsecor.exe	31
PID 2072 wrote to memory of 2292	2072	omsecor.exe	33
PID 2072 wrote to memory of 2292	2072	omsecor.exe	33
PID 2072 wrote to memory of 2292	2072	omsecor.exe	33
PID 2072 wrote to memory of 2292	2072	omsecor.exe	33
PID 2292 wrote to memory of 1248	2292	omsecor.exe	34
PID 2292 wrote to memory of 1248	2292	omsecor.exe	34
PID 2292 wrote to memory of 1248	2292	omsecor.exe	34
PID 2292 wrote to memory of 1248	2292	omsecor.exe	34
PID 2292 wrote to memory of 1248	2292	omsecor.exe	34
PID 2292 wrote to memory of 1248	2292	omsecor.exe	34
PID 1248 wrote to memory of 1920	1248	omsecor.exe	35
PID 1248 wrote to memory of 1920	1248	omsecor.exe	35
PID 1248 wrote to memory of 1920	1248	omsecor.exe	35
PID 1248 wrote to memory of 1920	1248	omsecor.exe	35
PID 1920 wrote to memory of 2356	1920	omsecor.exe	36
PID 1920 wrote to memory of 2356	1920	omsecor.exe	36
PID 1920 wrote to memory of 2356	1920	omsecor.exe	36
PID 1920 wrote to memory of 2356	1920	omsecor.exe	36
PID 1920 wrote to memory of 2356	1920	omsecor.exe	36
PID 1920 wrote to memory of 2356	1920	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
"C:\Users\Admin\AppData\Local\Temp\4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
  C:\Users\Admin\AppData\Local\Temp\4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
473030f0c4c1ad124616902b364d422f

SHA1
9dfe4b0ee3ed75cb55f9909256e08f241b2cdf77

SHA256
802715f2799d8ac4c5587619ba598638df32e5473838c2910ec36041b506a84e

SHA512
5142d4ad4711307843612b6e36feed800bf75465e196e668f215124f7b857fecfd4118eadee29e51a97519f3f6ced174e95d4e9fe12b84b47f148015717a9aca

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
72cc881b81ce915e7db3559b3f7f6aaf

SHA1
c10588c4dfa48229915c7f3d6c754dbd1d74b833

SHA256
9c289c8ca396b81545bc39c70a5cb929b33fd52933726a8e1d377b7bc86f66d8

SHA512
bfc0e321bbef551e0813291f1cc654a3b97c7d387d44be05c89619834b546472010d2e770e230514a12bf2f7126766a206e9a0e82f0df4dbfefec327633dbd56

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
4109da0b5e27ce028a7215570a1bf93a

SHA1
f3a8b6ee215818ea4dc94554aba900b35b77c21d

SHA256
e922d70b5ea239f56fddbaf7cbf8a5960c641c7950aeba7bcaceada45ad67b9c

SHA512
3ccfdb0486ce0fa2f7a7a4f5f5eafe41ae403c1c01174edda58ec18ec9fdaa6186f17c1a142f77196f684d196efbd0347bc6ca64f6cdbe7796c20f8262ed5b22

Download Submit
memory/1248-75-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1248-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1920-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1920-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2072-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2292-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2356-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2356-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2432-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2460-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-13-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2460-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2460-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2996-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2996-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download