neconyd | 180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe
Size

96KB
MD5

7aa641b1d69c7cc218cf6aec1254e860
SHA1

a67079b0fb7d7185dc0cdad3537d8aea27d58e2b
SHA256

180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244
SHA512

fb3711ccc5da435de67879277213b975c7dd1a693075fb4617487dac7acd85c91323b9cdef1535112f42af9f23381b15dcfb9b0f1e4e5eb56cefafe4d897638d
SSDEEP

1536:vnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:vGs8cd8eXlYairZYqMddH13R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2712	omsecor.exe
2812	omsecor.exe
1016	omsecor.exe
2880	omsecor.exe
3004	omsecor.exe
2508	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2088	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe
2088	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe
2712	omsecor.exe
2812	omsecor.exe
2812	omsecor.exe
2880	omsecor.exe
2880	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 2088	1712	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe	29
PID 2712 set thread context of 2812	2712	omsecor.exe	31
PID 1016 set thread context of 2880	1016	omsecor.exe	34
PID 3004 set thread context of 2508	3004	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2088	1712	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe	29
PID 1712 wrote to memory of 2088	1712	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe	29
PID 1712 wrote to memory of 2088	1712	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe	29
PID 1712 wrote to memory of 2088	1712	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe	29
PID 1712 wrote to memory of 2088	1712	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe	29
PID 1712 wrote to memory of 2088	1712	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe	29
PID 2088 wrote to memory of 2712	2088	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe	30
PID 2088 wrote to memory of 2712	2088	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe	30
PID 2088 wrote to memory of 2712	2088	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe	30
PID 2088 wrote to memory of 2712	2088	180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe	30
PID 2712 wrote to memory of 2812	2712	omsecor.exe	31
PID 2712 wrote to memory of 2812	2712	omsecor.exe	31
PID 2712 wrote to memory of 2812	2712	omsecor.exe	31
PID 2712 wrote to memory of 2812	2712	omsecor.exe	31
PID 2712 wrote to memory of 2812	2712	omsecor.exe	31
PID 2712 wrote to memory of 2812	2712	omsecor.exe	31
PID 2812 wrote to memory of 1016	2812	omsecor.exe	33
PID 2812 wrote to memory of 1016	2812	omsecor.exe	33
PID 2812 wrote to memory of 1016	2812	omsecor.exe	33
PID 2812 wrote to memory of 1016	2812	omsecor.exe	33
PID 1016 wrote to memory of 2880	1016	omsecor.exe	34
PID 1016 wrote to memory of 2880	1016	omsecor.exe	34
PID 1016 wrote to memory of 2880	1016	omsecor.exe	34
PID 1016 wrote to memory of 2880	1016	omsecor.exe	34
PID 1016 wrote to memory of 2880	1016	omsecor.exe	34
PID 1016 wrote to memory of 2880	1016	omsecor.exe	34
PID 2880 wrote to memory of 3004	2880	omsecor.exe	35
PID 2880 wrote to memory of 3004	2880	omsecor.exe	35
PID 2880 wrote to memory of 3004	2880	omsecor.exe	35
PID 2880 wrote to memory of 3004	2880	omsecor.exe	35
PID 3004 wrote to memory of 2508	3004	omsecor.exe	36
PID 3004 wrote to memory of 2508	3004	omsecor.exe	36
PID 3004 wrote to memory of 2508	3004	omsecor.exe	36
PID 3004 wrote to memory of 2508	3004	omsecor.exe	36
PID 3004 wrote to memory of 2508	3004	omsecor.exe	36
PID 3004 wrote to memory of 2508	3004	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe
"C:\Users\Admin\AppData\Local\Temp\180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe
  C:\Users\Admin\AppData\Local\Temp\180576a3dcebf919f587c9e59b526a6a21f5c32ee7fb4bd428ee37d4c1e7e244N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b9d2740ab3d937b41fcaac9447499873

SHA1
7ceff6b95857ae80bea10701262bc0979839c469

SHA256
e80c8d1519a7018d3d4d72c66df9c7119fc7502efee8f08d09a39a6cc43ad4b0

SHA512
3b0b7fa09d984d686feadccd703b8df9a62096d6221e09a6081f04c7c983e7db88ba97c57f21a2db4e12e653322481feaa13cae69ec9a74e7add3c8bad8939a4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
09aca854ad3a7179e21642fd2657c3ec

SHA1
c1ed08a4c5e2cb72c0226aa9bcde9c5b254fea1c

SHA256
746a0da80efa1e8f3f27dab6bd9fb094dc13c66b83096638ddd5a79a1c8a6f0c

SHA512
026aec3c45766a9b08b5fef549b403718c3facdb5204471b7995c7e837a338835637ae210c104eaea70ab739c6ef3fa319487cb5cd6d43528773bdb79c10b193

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
032b77474a11cd8a1313b272a5ce0447

SHA1
daeb9fa656dbc2c2b9c128e0e7b19d3fcf79a952

SHA256
06dff22ccbb4d6e3faa8a617f0e4a530653552eee5b2626decaf0f86b2107d2f

SHA512
97aa659b464e29c8ab715ff537d113ebeb2d827540b7c3df192dfe7312da047b8417ae78f31ac3aac208d612f28334c783401383774032489e109c1fd6d67b52

Download Submit
memory/1016-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1016-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1712-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1712-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2088-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2508-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2712-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2712-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2812-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2812-54-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2812-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2812-52-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2812-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2812-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2812-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-72-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/3004-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download