neconyd | 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/01/2025, 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
Size

96KB
MD5

8cf5d2de5a442b238701e0c509d5dbed
SHA1

5621535b5949f5ab0b93de04939da73d4efb3720
SHA256

33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b
SHA512

aec251a989d46f3cb7949574b0c46dce0ca003bab515c8b5cae44442411f0deb5d857ebe3a754439ef4aec15287c9367467c799fbeeb01a6216a58e4cbdba35c
SSDEEP

1536:7nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:7Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2552	omsecor.exe
2876	omsecor.exe
1964	omsecor.exe
2812	omsecor.exe
1428	omsecor.exe
2936	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3016	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
3016	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
2552	omsecor.exe
2876	omsecor.exe
2876	omsecor.exe
2812	omsecor.exe
2812	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1164 set thread context of 3016	1164	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	29
PID 2552 set thread context of 2876	2552	omsecor.exe	31
PID 1964 set thread context of 2812	1964	omsecor.exe	34
PID 1428 set thread context of 2936	1428	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 3016	1164	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	29
PID 1164 wrote to memory of 3016	1164	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	29
PID 1164 wrote to memory of 3016	1164	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	29
PID 1164 wrote to memory of 3016	1164	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	29
PID 1164 wrote to memory of 3016	1164	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	29
PID 1164 wrote to memory of 3016	1164	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	29
PID 3016 wrote to memory of 2552	3016	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	30
PID 3016 wrote to memory of 2552	3016	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	30
PID 3016 wrote to memory of 2552	3016	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	30
PID 3016 wrote to memory of 2552	3016	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	30
PID 2552 wrote to memory of 2876	2552	omsecor.exe	31
PID 2552 wrote to memory of 2876	2552	omsecor.exe	31
PID 2552 wrote to memory of 2876	2552	omsecor.exe	31
PID 2552 wrote to memory of 2876	2552	omsecor.exe	31
PID 2552 wrote to memory of 2876	2552	omsecor.exe	31
PID 2552 wrote to memory of 2876	2552	omsecor.exe	31
PID 2876 wrote to memory of 1964	2876	omsecor.exe	33
PID 2876 wrote to memory of 1964	2876	omsecor.exe	33
PID 2876 wrote to memory of 1964	2876	omsecor.exe	33
PID 2876 wrote to memory of 1964	2876	omsecor.exe	33
PID 1964 wrote to memory of 2812	1964	omsecor.exe	34
PID 1964 wrote to memory of 2812	1964	omsecor.exe	34
PID 1964 wrote to memory of 2812	1964	omsecor.exe	34
PID 1964 wrote to memory of 2812	1964	omsecor.exe	34
PID 1964 wrote to memory of 2812	1964	omsecor.exe	34
PID 1964 wrote to memory of 2812	1964	omsecor.exe	34
PID 2812 wrote to memory of 1428	2812	omsecor.exe	35
PID 2812 wrote to memory of 1428	2812	omsecor.exe	35
PID 2812 wrote to memory of 1428	2812	omsecor.exe	35
PID 2812 wrote to memory of 1428	2812	omsecor.exe	35
PID 1428 wrote to memory of 2936	1428	omsecor.exe	36
PID 1428 wrote to memory of 2936	1428	omsecor.exe	36
PID 1428 wrote to memory of 2936	1428	omsecor.exe	36
PID 1428 wrote to memory of 2936	1428	omsecor.exe	36
PID 1428 wrote to memory of 2936	1428	omsecor.exe	36
PID 1428 wrote to memory of 2936	1428	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
"C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
  C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e6582fd2a53dd0fd69a510709218210c

SHA1
9d0785aab0572c6ad1f2c4ac05964cc3fde5b90c

SHA256
2eefc66a4a30098447bae464b94a2ec1a8069309a2ac724dfa6146b9a00d7e5b

SHA512
2e06bff8aa7a850336edc1ef3ce4cf7e11a776643c6bfd2999fbc5a06b1bdfc54ad7521b04fc240664e58c5e7a3c7f8eae907d56bb739e1dceac181771a180ae

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4321ddd4d771eabc4b55d43d53a96550

SHA1
c5916542aacd25337befc660a6e50e3e9ba13f62

SHA256
d33349a1f291d060372509f903803bdf7323f01187f17276dd53b058f9871f1c

SHA512
65f4f7ab957c5b41a5f9abebbfa814afaf1bc0125b2944732b4006a7881f4b4abfc9e45249ce5cea305b7925827e31fa077a0770bc96413d1cd566deeacfe36f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2b74deb9e19b361f8a47577dd4a8effd

SHA1
1bc4302eeea400a858651df57f79b1d5939af43d

SHA256
8386806c972595cf57898a5be12e2d11e6301b5df892c27b5893b3245d796f99

SHA512
7c19e22966f2142c38adb156903443ccc242a0bb0dcdfe545f2bb653a8011546b0f5d3bdcfe69ce1b2a48de8244e359c915276db04439f285a7f2c7c4ea0d571

Download Submit
memory/1164-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1164-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1428-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1964-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2552-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2552-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2552-26-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2812-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2876-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2876-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2876-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2876-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2876-49-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2876-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2936-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2936-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/3016-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3016-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download