neconyd | 4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe
Size

128KB
MD5

76ad31e7dce644b164e65c0c7df81ca0
SHA1

c7b06b97713a22f6206cd3361f54559c6b0470a7
SHA256

4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8
SHA512

e8048b5b820ce897d8fbab00fdd86d51c661aa23e86928912ce69d730fb5a83b2476dd6a3c34e9f252ec3bab0d3a4b3471bc8409a5076e82694fcf26e5c82cc7
SSDEEP

1536:8DfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:iiRTe3n8BMAW6J6f1tqF6dngNmaZrN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2784	omsecor.exe
2664	omsecor.exe
836	omsecor.exe
2112	omsecor.exe
1784	omsecor.exe
1292	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2236	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe
2236	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe
2784	omsecor.exe
2664	omsecor.exe
2664	omsecor.exe
2112	omsecor.exe
2112	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2236	3044	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe	30
PID 2784 set thread context of 2664	2784	omsecor.exe	32
PID 836 set thread context of 2112	836	omsecor.exe	35
PID 1784 set thread context of 1292	1784	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2236	3044	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe	30
PID 3044 wrote to memory of 2236	3044	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe	30
PID 3044 wrote to memory of 2236	3044	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe	30
PID 3044 wrote to memory of 2236	3044	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe	30
PID 3044 wrote to memory of 2236	3044	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe	30
PID 3044 wrote to memory of 2236	3044	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe	30
PID 2236 wrote to memory of 2784	2236	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe	31
PID 2236 wrote to memory of 2784	2236	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe	31
PID 2236 wrote to memory of 2784	2236	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe	31
PID 2236 wrote to memory of 2784	2236	4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe	31
PID 2784 wrote to memory of 2664	2784	omsecor.exe	32
PID 2784 wrote to memory of 2664	2784	omsecor.exe	32
PID 2784 wrote to memory of 2664	2784	omsecor.exe	32
PID 2784 wrote to memory of 2664	2784	omsecor.exe	32
PID 2784 wrote to memory of 2664	2784	omsecor.exe	32
PID 2784 wrote to memory of 2664	2784	omsecor.exe	32
PID 2664 wrote to memory of 836	2664	omsecor.exe	34
PID 2664 wrote to memory of 836	2664	omsecor.exe	34
PID 2664 wrote to memory of 836	2664	omsecor.exe	34
PID 2664 wrote to memory of 836	2664	omsecor.exe	34
PID 836 wrote to memory of 2112	836	omsecor.exe	35
PID 836 wrote to memory of 2112	836	omsecor.exe	35
PID 836 wrote to memory of 2112	836	omsecor.exe	35
PID 836 wrote to memory of 2112	836	omsecor.exe	35
PID 836 wrote to memory of 2112	836	omsecor.exe	35
PID 836 wrote to memory of 2112	836	omsecor.exe	35
PID 2112 wrote to memory of 1784	2112	omsecor.exe	36
PID 2112 wrote to memory of 1784	2112	omsecor.exe	36
PID 2112 wrote to memory of 1784	2112	omsecor.exe	36
PID 2112 wrote to memory of 1784	2112	omsecor.exe	36
PID 1784 wrote to memory of 1292	1784	omsecor.exe	37
PID 1784 wrote to memory of 1292	1784	omsecor.exe	37
PID 1784 wrote to memory of 1292	1784	omsecor.exe	37
PID 1784 wrote to memory of 1292	1784	omsecor.exe	37
PID 1784 wrote to memory of 1292	1784	omsecor.exe	37
PID 1784 wrote to memory of 1292	1784	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe
"C:\Users\Admin\AppData\Local\Temp\4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe
  C:\Users\Admin\AppData\Local\Temp\4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
8cef9564016438cda60c98cf30783d48

SHA1
503fabbd1f6f8c57e9e19d1c02aa0c7e4f5c5b35

SHA256
5dbcb3b179c611851e56499e462f01b44c33916c7e76c561ba430c47ea815b42

SHA512
3b54f05228fd0fdcbd3afbf1ee0a8ccf13ca0393e6814eac75d4f3d37f72e4f3cfd91a90c777a82f7958cf9c64d26a8ddbdc5e2a4eef8aaa49a76dd2489a3425

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
e5c8d214ea4b467ad22b736b3437ae5e

SHA1
ca7b6bc9d10829166a03d357fd2adbc97737a8d1

SHA256
3429bb15177aae5a5e8bb2172e88eb84625c3a45f8b6e813e9fc5ad3cda7c5fc

SHA512
4f9d7cf034a365232ed8187217b20c5f8109641a8f474a47d40ec706ff13bb1dc8f516f01e7a3478bded207c45f258a2542fdfdb76ad2c1f80a8e5844c68e622

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
49365dcc0dccf2cd7f6020487ed2634e

SHA1
47871b608a832ecf3036ebe05f4a67ef6b75b3ce

SHA256
effb0a6761d21b1bd0214e920f54f33fa64c4d3f8d27ec51f0ec9822f48dcaa3

SHA512
8b30354f200ab885423eaf5640a96a3fe587c735d2c3dc92f0efe40c10593bd6193bbcc394588d923b7f301cdf7aad82c838010b341840110eae18a3369f99ff

Download Submit
memory/1292-75-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download