neconyd | b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
Size

96KB
MD5

6389bc155ba269a9096dac1d22b6643d
SHA1

b7223ece46cc54483d352f48dff04959596cbd9a
SHA256

b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188
SHA512

ef4e28f551d352944f9481bb53bd543752c199f65fc6b0b2dd0513090023d22fe177dda38a7ee4149fe0f53fbbd835f75e230db510a6a9d57118e9247366afc7
SSDEEP

1536:TnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:TGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2088	omsecor.exe
2360	omsecor.exe
2664	omsecor.exe
1620	omsecor.exe
1288	omsecor.exe
540	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
816	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
816	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
2088	omsecor.exe
2360	omsecor.exe
2360	omsecor.exe
1620	omsecor.exe
1620	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 816	1992	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	30
PID 2088 set thread context of 2360	2088	omsecor.exe	32
PID 2664 set thread context of 1620	2664	omsecor.exe	36
PID 1288 set thread context of 540	1288	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 816	1992	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	30
PID 1992 wrote to memory of 816	1992	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	30
PID 1992 wrote to memory of 816	1992	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	30
PID 1992 wrote to memory of 816	1992	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	30
PID 1992 wrote to memory of 816	1992	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	30
PID 1992 wrote to memory of 816	1992	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	30
PID 816 wrote to memory of 2088	816	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	31
PID 816 wrote to memory of 2088	816	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	31
PID 816 wrote to memory of 2088	816	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	31
PID 816 wrote to memory of 2088	816	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	31
PID 2088 wrote to memory of 2360	2088	omsecor.exe	32
PID 2088 wrote to memory of 2360	2088	omsecor.exe	32
PID 2088 wrote to memory of 2360	2088	omsecor.exe	32
PID 2088 wrote to memory of 2360	2088	omsecor.exe	32
PID 2088 wrote to memory of 2360	2088	omsecor.exe	32
PID 2088 wrote to memory of 2360	2088	omsecor.exe	32
PID 2360 wrote to memory of 2664	2360	omsecor.exe	35
PID 2360 wrote to memory of 2664	2360	omsecor.exe	35
PID 2360 wrote to memory of 2664	2360	omsecor.exe	35
PID 2360 wrote to memory of 2664	2360	omsecor.exe	35
PID 2664 wrote to memory of 1620	2664	omsecor.exe	36
PID 2664 wrote to memory of 1620	2664	omsecor.exe	36
PID 2664 wrote to memory of 1620	2664	omsecor.exe	36
PID 2664 wrote to memory of 1620	2664	omsecor.exe	36
PID 2664 wrote to memory of 1620	2664	omsecor.exe	36
PID 2664 wrote to memory of 1620	2664	omsecor.exe	36
PID 1620 wrote to memory of 1288	1620	omsecor.exe	37
PID 1620 wrote to memory of 1288	1620	omsecor.exe	37
PID 1620 wrote to memory of 1288	1620	omsecor.exe	37
PID 1620 wrote to memory of 1288	1620	omsecor.exe	37
PID 1288 wrote to memory of 540	1288	omsecor.exe	38
PID 1288 wrote to memory of 540	1288	omsecor.exe	38
PID 1288 wrote to memory of 540	1288	omsecor.exe	38
PID 1288 wrote to memory of 540	1288	omsecor.exe	38
PID 1288 wrote to memory of 540	1288	omsecor.exe	38
PID 1288 wrote to memory of 540	1288	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
"C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
  C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
55909657b40da99b0ed528a78b8d8352

SHA1
312537908fbb9f7f9ec739bda022dfe6ec8bd5cb

SHA256
8fa55f6341c69d7d644d4de2ddf2d98882095a04f71afedf7b2686446ddc0fcb

SHA512
bf0b32ffe5ed9d0a10dd55d8f29934bc56ec48c05b7821d6af6441cf99d3811821276d42916dae2fa1d1fa8d95e15563a389923397bcf973107a0e8c0f89e245

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1d2b4e8e080e8f33544f695b4e7841e3

SHA1
b4f05175e17a7fb93a3677b31662efb6643ab8c4

SHA256
2b00a6765ea31d15c26a558a2f0e9232d8d1aeae84d19de46640b5481c986441

SHA512
ecf3cbdfdb064b0fd6220ed39a23c452ebff7dadfac1051e7be40cb3a91caf936627c9707b2386881816753b875fcdfc6238a3b862faaf2d5dc04255d0049a9f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
1b3d370fbed52cea0b43079783f6c28f

SHA1
5da06f4ae0932a4c8a9e36531cd8c93daa5461f8

SHA256
0acbc91f7f066cfb8461790772b8921ad2978e882fd30843c0098a3c2c869aa6

SHA512
37a357729909b1da74c108ae8be9def6e8e94755b8b2b90cf552289ed22b811c0af8a6de7dc4c7dc05be581da774eee0cb61a62ca4e452edd317f5e863c87471

Download Submit
memory/540-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/816-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/816-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/816-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/816-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/816-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1288-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1288-77-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1992-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1992-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2088-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2088-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2360-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2664-55-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download