neconyd | b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe
Size

96KB
MD5

e1b93335be80e38d60faa0995501b964
SHA1

a3ad93a38cd65ac73a57e68a2c87e2ff16a509ed
SHA256

b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27
SHA512

cd0832b92998c34487b4c60b2e4cc66a59e719a14b857bf3b56af43fefcb1ec31bb33b7c3dff7edea574c6a594878360ec47f57a61cdeb6c404bf6d3505e4867
SSDEEP

1536:1nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:1Gs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2344	omsecor.exe
1300	omsecor.exe
2668	omsecor.exe
1528	omsecor.exe
1208	omsecor.exe
2952	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2168	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe
2168	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe
2344	omsecor.exe
1300	omsecor.exe
1300	omsecor.exe
1528	omsecor.exe
1528	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 2168	2100	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe	30
PID 2344 set thread context of 1300	2344	omsecor.exe	32
PID 2668 set thread context of 1528	2668	omsecor.exe	36
PID 1208 set thread context of 2952	1208	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2168	2100	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe	30
PID 2100 wrote to memory of 2168	2100	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe	30
PID 2100 wrote to memory of 2168	2100	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe	30
PID 2100 wrote to memory of 2168	2100	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe	30
PID 2100 wrote to memory of 2168	2100	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe	30
PID 2100 wrote to memory of 2168	2100	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe	30
PID 2168 wrote to memory of 2344	2168	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe	31
PID 2168 wrote to memory of 2344	2168	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe	31
PID 2168 wrote to memory of 2344	2168	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe	31
PID 2168 wrote to memory of 2344	2168	b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe	31
PID 2344 wrote to memory of 1300	2344	omsecor.exe	32
PID 2344 wrote to memory of 1300	2344	omsecor.exe	32
PID 2344 wrote to memory of 1300	2344	omsecor.exe	32
PID 2344 wrote to memory of 1300	2344	omsecor.exe	32
PID 2344 wrote to memory of 1300	2344	omsecor.exe	32
PID 2344 wrote to memory of 1300	2344	omsecor.exe	32
PID 1300 wrote to memory of 2668	1300	omsecor.exe	35
PID 1300 wrote to memory of 2668	1300	omsecor.exe	35
PID 1300 wrote to memory of 2668	1300	omsecor.exe	35
PID 1300 wrote to memory of 2668	1300	omsecor.exe	35
PID 2668 wrote to memory of 1528	2668	omsecor.exe	36
PID 2668 wrote to memory of 1528	2668	omsecor.exe	36
PID 2668 wrote to memory of 1528	2668	omsecor.exe	36
PID 2668 wrote to memory of 1528	2668	omsecor.exe	36
PID 2668 wrote to memory of 1528	2668	omsecor.exe	36
PID 2668 wrote to memory of 1528	2668	omsecor.exe	36
PID 1528 wrote to memory of 1208	1528	omsecor.exe	37
PID 1528 wrote to memory of 1208	1528	omsecor.exe	37
PID 1528 wrote to memory of 1208	1528	omsecor.exe	37
PID 1528 wrote to memory of 1208	1528	omsecor.exe	37
PID 1208 wrote to memory of 2952	1208	omsecor.exe	38
PID 1208 wrote to memory of 2952	1208	omsecor.exe	38
PID 1208 wrote to memory of 2952	1208	omsecor.exe	38
PID 1208 wrote to memory of 2952	1208	omsecor.exe	38
PID 1208 wrote to memory of 2952	1208	omsecor.exe	38
PID 1208 wrote to memory of 2952	1208	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe
"C:\Users\Admin\AppData\Local\Temp\b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe
  C:\Users\Admin\AppData\Local\Temp\b6f4480086f4978357faae02c63e9962dc5e576e854939f9f5ebe4c0d280bd27.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
00f5c849a831e0374558bf4b0d08c3e6

SHA1
b947f5505795b1bec862ddaa43a704f31cf1c889

SHA256
6a44614d9af5900ec8284894d2366ba3241e740a8fffb3da68ad4e66f6b8be65

SHA512
5efad890e869a603e140535b1351cf391f9ef0b0dbf5bbe71f65c0bee9e9c0b7cab3e78b2e34068c70c5fb2fd1fc19d8c4840bf4eb0732a309d53f302e7d6272

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f2bb489148f487ef6d087b4d69729eb8

SHA1
0e5a46dd7177037d63c758872b3468ee60b68266

SHA256
4822fab0db6315916e8b0be1d208917dc124b4d5eab258a2f4cd39987734bc87

SHA512
7d5432a424f9230b234c56d4051093423dc4614a22b21d137ef6a1fc329a09002f1024e68bf17b288d3c521a730ca25cd0cda26ccfc75e405dfcdf9fd999750c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
02dfd93d29d706f8e5eff8cb5ba55601

SHA1
b7719339dff130c61e999bf907f579265b401b94

SHA256
d6b2ede5389d8ce1a181d4a0191ebd09e56bef57fd5fb5aa0a3b4bd1bb592282

SHA512
84b0d21a60b821f80819b9a9acc9b687ed119e778944acd7f129c97d406165dc859d432f5ab0018ffe50f0f62ef8b3b6fef49760e7f51d8dd503774ea106edc6

Download Submit
memory/1208-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1208-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1300-46-0x0000000000380000-0x00000000003A3000-memory.dmp

Filesize
140KB

Download
memory/1300-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1300-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1300-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1300-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1300-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1528-70-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2100-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2100-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2168-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2168-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2344-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2668-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2668-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2952-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download