neconyd | 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1

Analysis

max time kernel
140s
max time network
130s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10/01/2025, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
Size

96KB
MD5

91de4d3077d1c1beab2298acba54cab6
SHA1

ae455abf836a7955ec04d529f99fe68e10556d6d
SHA256

7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1
SHA512

d655e8c4b8164bf5d6366839be8dd22e3949ffe2edd61607134f8c0b0c8f7f518c1f03bf01f5593c3160a93296afa717a6dff9ac7518331be46776c6c496b9d4
SSDEEP

1536:vnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:vGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1264	omsecor.exe
2008	omsecor.exe
532	omsecor.exe
2028	omsecor.exe
1604	omsecor.exe
2276	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2632	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
2632	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
1264	omsecor.exe
2008	omsecor.exe
2008	omsecor.exe
2028	omsecor.exe
2028	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 2632	1832	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	30
PID 1264 set thread context of 2008	1264	omsecor.exe	32
PID 532 set thread context of 2028	532	omsecor.exe	36
PID 1604 set thread context of 2276	1604	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2632	1832	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	30
PID 1832 wrote to memory of 2632	1832	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	30
PID 1832 wrote to memory of 2632	1832	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	30
PID 1832 wrote to memory of 2632	1832	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	30
PID 1832 wrote to memory of 2632	1832	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	30
PID 1832 wrote to memory of 2632	1832	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	30
PID 2632 wrote to memory of 1264	2632	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	31
PID 2632 wrote to memory of 1264	2632	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	31
PID 2632 wrote to memory of 1264	2632	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	31
PID 2632 wrote to memory of 1264	2632	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	31
PID 1264 wrote to memory of 2008	1264	omsecor.exe	32
PID 1264 wrote to memory of 2008	1264	omsecor.exe	32
PID 1264 wrote to memory of 2008	1264	omsecor.exe	32
PID 1264 wrote to memory of 2008	1264	omsecor.exe	32
PID 1264 wrote to memory of 2008	1264	omsecor.exe	32
PID 1264 wrote to memory of 2008	1264	omsecor.exe	32
PID 2008 wrote to memory of 532	2008	omsecor.exe	35
PID 2008 wrote to memory of 532	2008	omsecor.exe	35
PID 2008 wrote to memory of 532	2008	omsecor.exe	35
PID 2008 wrote to memory of 532	2008	omsecor.exe	35
PID 532 wrote to memory of 2028	532	omsecor.exe	36
PID 532 wrote to memory of 2028	532	omsecor.exe	36
PID 532 wrote to memory of 2028	532	omsecor.exe	36
PID 532 wrote to memory of 2028	532	omsecor.exe	36
PID 532 wrote to memory of 2028	532	omsecor.exe	36
PID 532 wrote to memory of 2028	532	omsecor.exe	36
PID 2028 wrote to memory of 1604	2028	omsecor.exe	37
PID 2028 wrote to memory of 1604	2028	omsecor.exe	37
PID 2028 wrote to memory of 1604	2028	omsecor.exe	37
PID 2028 wrote to memory of 1604	2028	omsecor.exe	37
PID 1604 wrote to memory of 2276	1604	omsecor.exe	38
PID 1604 wrote to memory of 2276	1604	omsecor.exe	38
PID 1604 wrote to memory of 2276	1604	omsecor.exe	38
PID 1604 wrote to memory of 2276	1604	omsecor.exe	38
PID 1604 wrote to memory of 2276	1604	omsecor.exe	38
PID 1604 wrote to memory of 2276	1604	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
"C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
  C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d579a6df3c6b1f9f44999db4a1158cbf

SHA1
34f504e1f221cb2051e9b1074de8231729ef64c3

SHA256
fa6d702d455514b98998fbbbdf22ee258e5be281f4d20c60c5cbfd395b5bbf48

SHA512
7d90c219423ba0cc25ed1094c36b2d13ea7cb01e7010dbce0b3cb634b105ea19f441d5d9c8f5b3074b270a88d0c9c83a0663c9a1fdc8ed008e917f4786fa0374

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a917b9eece10e40f46ceded24557a52d

SHA1
06b3270e31c8642d941cc0540079a7fd095e6547

SHA256
69d04ebd8aa9f71a5db05b7e62bd9781423c5fc0302f0734d7cd8cc9b1a203b5

SHA512
9617a91563c29c336e9d1339b06e9de54938ef04a92de365a1f3bf6fd41f890b1c474713f726224a51cdbd7c7a5ce4201a26ba16383dd6ae8ac911b893f06405

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
36fcbbcaab2e76b1de2d1f0ba1c3a562

SHA1
08f7144e457bde5bc1a488f36441ff8e57e31bf0

SHA256
f8e1d695d3bf2414991801e3b8437041b27d6a46ad88bb69ecbc193ac8aa1606

SHA512
729580c18e84c09aee86a506f6df628d76866d545cb7141236825d9b0a55f37fb3508ee9524e5799c26275de22cf1aba5785acb973000dcd53b97ea6a52c3acb

Download Submit
memory/532-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/532-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1264-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1264-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1604-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1832-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1832-1-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/1832-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2008-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2008-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2008-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2008-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2008-46-0x0000000002220000-0x0000000002243000-memory.dmp

Filesize
140KB

Download
memory/2008-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2276-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2276-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2632-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2632-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2632-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2632-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download