neconyd | b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
Size

96KB
MD5

6389bc155ba269a9096dac1d22b6643d
SHA1

b7223ece46cc54483d352f48dff04959596cbd9a
SHA256

b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188
SHA512

ef4e28f551d352944f9481bb53bd543752c199f65fc6b0b2dd0513090023d22fe177dda38a7ee4149fe0f53fbbd835f75e230db510a6a9d57118e9247366afc7
SSDEEP

1536:TnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:TGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2608	omsecor.exe
2724	omsecor.exe
1336	omsecor.exe
2692	omsecor.exe
632	omsecor.exe
1828	omsecor.exe

Loads dropped DLL 8 IoCs

pid	Process
2296	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
2296	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
2608	omsecor.exe
2724	omsecor.exe
2724	omsecor.exe
1336	omsecor.exe
2692	omsecor.exe
2692	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 2296	2564	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	31
PID 2608 set thread context of 2724	2608	omsecor.exe	33
PID 1336 set thread context of 2692	1336	omsecor.exe	36
PID 632 set thread context of 1828	632	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2296	2564	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	31
PID 2564 wrote to memory of 2296	2564	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	31
PID 2564 wrote to memory of 2296	2564	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	31
PID 2564 wrote to memory of 2296	2564	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	31
PID 2564 wrote to memory of 2296	2564	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	31
PID 2564 wrote to memory of 2296	2564	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	31
PID 2296 wrote to memory of 2608	2296	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	32
PID 2296 wrote to memory of 2608	2296	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	32
PID 2296 wrote to memory of 2608	2296	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	32
PID 2296 wrote to memory of 2608	2296	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	32
PID 2608 wrote to memory of 2724	2608	omsecor.exe	33
PID 2608 wrote to memory of 2724	2608	omsecor.exe	33
PID 2608 wrote to memory of 2724	2608	omsecor.exe	33
PID 2608 wrote to memory of 2724	2608	omsecor.exe	33
PID 2608 wrote to memory of 2724	2608	omsecor.exe	33
PID 2608 wrote to memory of 2724	2608	omsecor.exe	33
PID 2724 wrote to memory of 1336	2724	omsecor.exe	35
PID 2724 wrote to memory of 1336	2724	omsecor.exe	35
PID 2724 wrote to memory of 1336	2724	omsecor.exe	35
PID 2724 wrote to memory of 1336	2724	omsecor.exe	35
PID 1336 wrote to memory of 2692	1336	omsecor.exe	36
PID 1336 wrote to memory of 2692	1336	omsecor.exe	36
PID 1336 wrote to memory of 2692	1336	omsecor.exe	36
PID 1336 wrote to memory of 2692	1336	omsecor.exe	36
PID 1336 wrote to memory of 2692	1336	omsecor.exe	36
PID 1336 wrote to memory of 2692	1336	omsecor.exe	36
PID 2692 wrote to memory of 632	2692	omsecor.exe	37
PID 2692 wrote to memory of 632	2692	omsecor.exe	37
PID 2692 wrote to memory of 632	2692	omsecor.exe	37
PID 2692 wrote to memory of 632	2692	omsecor.exe	37
PID 632 wrote to memory of 1828	632	omsecor.exe	38
PID 632 wrote to memory of 1828	632	omsecor.exe	38
PID 632 wrote to memory of 1828	632	omsecor.exe	38
PID 632 wrote to memory of 1828	632	omsecor.exe	38
PID 632 wrote to memory of 1828	632	omsecor.exe	38
PID 632 wrote to memory of 1828	632	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
"C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
  C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
55909657b40da99b0ed528a78b8d8352

SHA1
312537908fbb9f7f9ec739bda022dfe6ec8bd5cb

SHA256
8fa55f6341c69d7d644d4de2ddf2d98882095a04f71afedf7b2686446ddc0fcb

SHA512
bf0b32ffe5ed9d0a10dd55d8f29934bc56ec48c05b7821d6af6441cf99d3811821276d42916dae2fa1d1fa8d95e15563a389923397bcf973107a0e8c0f89e245

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
db19e3b57011593a1d8db36b3145887f

SHA1
8b807c9412084e84b7b6049d9f07e1a62f7e2432

SHA256
cc9c7d51ca6baeb2bd13e4dc6049ab506ead0e60b2cc0b13548af17980670a0f

SHA512
9c1e7dec0aad91d2538a39db6810eef3ac0373e64643336f1ffbced202ee1639198535ecad0fe8657bcdda635bdae9332c38e5020baf7cd1ab646f1bd86af74e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
2780dd5316be9d4b2c945e025128abe8

SHA1
ba0ab27eb13673c29a558b81ae95663f2e8dd894

SHA256
41dc9a87683d2f6303e3640d2377c5eef8fd535f166da311b0bbd28b2b57356e

SHA512
69ea95b937d65a1527329920d76d95133dd19ed56bdac951fec8b6b3a9fc7d8e4b94027acfb1df9045921ec3c61e26eae2146838081376081d9467212a117390

Download Submit
memory/632-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/632-84-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1336-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1336-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1336-62-0x00000000002E0000-0x0000000000303000-memory.dmp

Filesize
140KB

Download
memory/1828-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1828-97-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2296-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2564-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2564-5-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2608-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2608-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2608-25-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2692-75-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2724-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-54-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2724-56-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2724-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download