neconyd | 93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe
Size

134KB
MD5

d5aee007bfb079b02ddcee2f75b28f25
SHA1

15510c802a3476dee812d7fdc72690beabc5089e
SHA256

93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0
SHA512

f2eb7c32e0f661b1cfc0cb797ff7084f3970b9c1cf8cbc810da4a3d6e7d7cccca83a6a1f4a419adbcc88553a7d7b4cb8da2496f2bd21fd2e800f285129522f05
SSDEEP

1536:sDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:SiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2376	omsecor.exe
624	omsecor.exe
2952	omsecor.exe
3000	omsecor.exe
2804	omsecor.exe
1800	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2388	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe
2388	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe
2376	omsecor.exe
624	omsecor.exe
624	omsecor.exe
3000	omsecor.exe
3000	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 2388	2072	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe	30
PID 2376 set thread context of 624	2376	omsecor.exe	32
PID 2952 set thread context of 3000	2952	omsecor.exe	36
PID 2804 set thread context of 1800	2804	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2388	2072	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe	30
PID 2072 wrote to memory of 2388	2072	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe	30
PID 2072 wrote to memory of 2388	2072	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe	30
PID 2072 wrote to memory of 2388	2072	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe	30
PID 2072 wrote to memory of 2388	2072	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe	30
PID 2072 wrote to memory of 2388	2072	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe	30
PID 2388 wrote to memory of 2376	2388	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe	31
PID 2388 wrote to memory of 2376	2388	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe	31
PID 2388 wrote to memory of 2376	2388	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe	31
PID 2388 wrote to memory of 2376	2388	93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe	31
PID 2376 wrote to memory of 624	2376	omsecor.exe	32
PID 2376 wrote to memory of 624	2376	omsecor.exe	32
PID 2376 wrote to memory of 624	2376	omsecor.exe	32
PID 2376 wrote to memory of 624	2376	omsecor.exe	32
PID 2376 wrote to memory of 624	2376	omsecor.exe	32
PID 2376 wrote to memory of 624	2376	omsecor.exe	32
PID 624 wrote to memory of 2952	624	omsecor.exe	35
PID 624 wrote to memory of 2952	624	omsecor.exe	35
PID 624 wrote to memory of 2952	624	omsecor.exe	35
PID 624 wrote to memory of 2952	624	omsecor.exe	35
PID 2952 wrote to memory of 3000	2952	omsecor.exe	36
PID 2952 wrote to memory of 3000	2952	omsecor.exe	36
PID 2952 wrote to memory of 3000	2952	omsecor.exe	36
PID 2952 wrote to memory of 3000	2952	omsecor.exe	36
PID 2952 wrote to memory of 3000	2952	omsecor.exe	36
PID 2952 wrote to memory of 3000	2952	omsecor.exe	36
PID 3000 wrote to memory of 2804	3000	omsecor.exe	37
PID 3000 wrote to memory of 2804	3000	omsecor.exe	37
PID 3000 wrote to memory of 2804	3000	omsecor.exe	37
PID 3000 wrote to memory of 2804	3000	omsecor.exe	37
PID 2804 wrote to memory of 1800	2804	omsecor.exe	38
PID 2804 wrote to memory of 1800	2804	omsecor.exe	38
PID 2804 wrote to memory of 1800	2804	omsecor.exe	38
PID 2804 wrote to memory of 1800	2804	omsecor.exe	38
PID 2804 wrote to memory of 1800	2804	omsecor.exe	38
PID 2804 wrote to memory of 1800	2804	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe
"C:\Users\Admin\AppData\Local\Temp\93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe
  C:\Users\Admin\AppData\Local\Temp\93c7cb5f936c0078ce463884bff0fb6318ea637e2e3815b267f0e990919df0c0.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:624
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
3270c8ae3664981bd273c55256900967

SHA1
6da751d5ec14f4047313112afc4bd92b858ae0af

SHA256
42baf1d5746c4d828d8231dd81b9d32129604d07ddf1c6c67051ae5026af3a21

SHA512
416c454bdef4a342899d7917968ca111f892654b9f62f89084d68178ae139f3a4ae42c7301ad16321494757ce1e676113af84210f7beb1f7415bb2c3c56eb0cf

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
73e18443a34ba0ddf5090c1302dccef8

SHA1
1733f29048ab5998cf755f7b6ad0213c0ee1dc33

SHA256
b981baa436e1f2940f268372f258e266ea73300f6ceacfaf455b741853ad9acd

SHA512
38aac9e026a8b3b0c1344913f49f5eabb3ae26f3354bddfc44226e836dc0426780e3203aaea2e3cd4d71c6c492abedfb45925a2dccab066278fc7ca26325e2b8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
e36ac2bc7d3dea8a4db133d53956b08a

SHA1
023741628bed38dfca2dcb8946cdb7f6486e9b4c

SHA256
59c933369b0ee697e93b6431653a023d013fcc3dc8a8b7c718c7570f1af86d42

SHA512
551ed9f71f34652823668aab505ab848f3c8161eadabe784deba106ebb5d1fa5f7a732eb09026c1379e4a356eab5eb335733bcc4385b481ab7992b65eb5106ac

Download Submit
memory/624-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/624-45-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/624-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/624-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/624-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/624-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1800-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1800-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2072-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2376-23-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/2376-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2376-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2388-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2388-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2804-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2952-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2952-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3000-69-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download