neconyd | 05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
Size

96KB
MD5

987c54fdd083d17c17554d5be2d45b50
SHA1

cfea6bab95d0b94863a475ad95ed9c9c19fc64a6
SHA256

05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6
SHA512

63a2a73a4cae5582d98c78ec5bc58f8dcc90abe83a042a3553766abe3a479fea5a0b9155a9dbfc3853b10e3ad2a2baf7e3fde38f96a6844cca78e8da275da8d8
SSDEEP

1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:zGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1992	omsecor.exe
1752	omsecor.exe
1444	omsecor.exe
1936	omsecor.exe
1412	omsecor.exe
1764	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1884	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
1884	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
1992	omsecor.exe
1752	omsecor.exe
1752	omsecor.exe
1936	omsecor.exe
1936	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 1884	2356	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	30
PID 1992 set thread context of 1752	1992	omsecor.exe	32
PID 1444 set thread context of 1936	1444	omsecor.exe	36
PID 1412 set thread context of 1764	1412	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1884	2356	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	30
PID 2356 wrote to memory of 1884	2356	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	30
PID 2356 wrote to memory of 1884	2356	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	30
PID 2356 wrote to memory of 1884	2356	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	30
PID 2356 wrote to memory of 1884	2356	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	30
PID 2356 wrote to memory of 1884	2356	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	30
PID 1884 wrote to memory of 1992	1884	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	31
PID 1884 wrote to memory of 1992	1884	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	31
PID 1884 wrote to memory of 1992	1884	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	31
PID 1884 wrote to memory of 1992	1884	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	31
PID 1992 wrote to memory of 1752	1992	omsecor.exe	32
PID 1992 wrote to memory of 1752	1992	omsecor.exe	32
PID 1992 wrote to memory of 1752	1992	omsecor.exe	32
PID 1992 wrote to memory of 1752	1992	omsecor.exe	32
PID 1992 wrote to memory of 1752	1992	omsecor.exe	32
PID 1992 wrote to memory of 1752	1992	omsecor.exe	32
PID 1752 wrote to memory of 1444	1752	omsecor.exe	35
PID 1752 wrote to memory of 1444	1752	omsecor.exe	35
PID 1752 wrote to memory of 1444	1752	omsecor.exe	35
PID 1752 wrote to memory of 1444	1752	omsecor.exe	35
PID 1444 wrote to memory of 1936	1444	omsecor.exe	36
PID 1444 wrote to memory of 1936	1444	omsecor.exe	36
PID 1444 wrote to memory of 1936	1444	omsecor.exe	36
PID 1444 wrote to memory of 1936	1444	omsecor.exe	36
PID 1444 wrote to memory of 1936	1444	omsecor.exe	36
PID 1444 wrote to memory of 1936	1444	omsecor.exe	36
PID 1936 wrote to memory of 1412	1936	omsecor.exe	37
PID 1936 wrote to memory of 1412	1936	omsecor.exe	37
PID 1936 wrote to memory of 1412	1936	omsecor.exe	37
PID 1936 wrote to memory of 1412	1936	omsecor.exe	37
PID 1412 wrote to memory of 1764	1412	omsecor.exe	38
PID 1412 wrote to memory of 1764	1412	omsecor.exe	38
PID 1412 wrote to memory of 1764	1412	omsecor.exe	38
PID 1412 wrote to memory of 1764	1412	omsecor.exe	38
PID 1412 wrote to memory of 1764	1412	omsecor.exe	38
PID 1412 wrote to memory of 1764	1412	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
"C:\Users\Admin\AppData\Local\Temp\05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
  C:\Users\Admin\AppData\Local\Temp\05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e12784b083ab4128cf9abff11d4c6d42

SHA1
b5b82c5cb0c09b3e7c5f5807ca870d2e0d752e1a

SHA256
94e95823f0dd82d4f8d80c4fcdbe849a723d427651c15e4d2c8ec82bfa6c964b

SHA512
3db7d41923655cca90cd728569d9d2893185bbb7f1127c32a3d3895a42ac7473a1482ed9c8e8086d867b484014f5feb3d64ed4d1d2163211f5162a3ba3ad5d09

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
44f6debd2a0283facf0487a88215151b

SHA1
3cdc00b36882138c90df0cd19968b90d81a7f134

SHA256
a458ed20f996d2e5a7eac7fe28337b6eb56f2b6b7672e7d0a22e95129aeb7395

SHA512
bf5b3bb00cd7d2900966c881089ad621151d900f140b26410621fdc8196138739a801cafef9475946c32b244e17411c9e95e0a26b34512cab1a60a9a0dee38c1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
cae33b50f3baad3ee34354e32f7ef65d

SHA1
c180b12ae9e8fff4d9bbf7fd700f0f18364d2316

SHA256
af7430fc23eb373e3128fc9efe15ee1adadf36521670a04197786f52df2bb5a0

SHA512
fd19630de90a65f19074f04788b77a2da1df05e63bc1a43bbb9992623a564ca214a11f08cfda3f3aeca33cd4098072ba96c9639ada11779e36a7575f959c92ba

Download Submit
memory/1412-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1412-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1444-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1444-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1752-54-0x0000000001F70000-0x0000000001F93000-memory.dmp

Filesize
140KB

Download
memory/1752-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1752-48-0x0000000001F70000-0x0000000001F93000-memory.dmp

Filesize
140KB

Download
memory/1752-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1752-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1752-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1752-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1764-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1884-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1884-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1884-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1884-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1884-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1884-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1992-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1992-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2356-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2356-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download