neconyd | 19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe
Size

96KB
MD5

b6c11374a70c8c650f8555c2e6a77acc
SHA1

d3c3a0de61b638e44e9372315193b8f342af5914
SHA256

19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096
SHA512

acbe633c216b2e7851af349492c8985c1467bbdfad64183cf62e0dc8f6ff785b221a06d1591b7fdd4d2fc757d2fe43cca61c9a95f9dbd81461ea6f1244b46d81
SSDEEP

1536:DnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:DGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1636	omsecor.exe
2324	omsecor.exe
2940	omsecor.exe
1176	omsecor.exe
1900	omsecor.exe
2984	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2356	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe
2356	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe
1636	omsecor.exe
2324	omsecor.exe
2324	omsecor.exe
1176	omsecor.exe
1176	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 2356	2576	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe	31
PID 1636 set thread context of 2324	1636	omsecor.exe	33
PID 2940 set thread context of 1176	2940	omsecor.exe	36
PID 1900 set thread context of 2984	1900	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2356	2576	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe	31
PID 2576 wrote to memory of 2356	2576	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe	31
PID 2576 wrote to memory of 2356	2576	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe	31
PID 2576 wrote to memory of 2356	2576	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe	31
PID 2576 wrote to memory of 2356	2576	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe	31
PID 2576 wrote to memory of 2356	2576	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe	31
PID 2356 wrote to memory of 1636	2356	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe	32
PID 2356 wrote to memory of 1636	2356	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe	32
PID 2356 wrote to memory of 1636	2356	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe	32
PID 2356 wrote to memory of 1636	2356	19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe	32
PID 1636 wrote to memory of 2324	1636	omsecor.exe	33
PID 1636 wrote to memory of 2324	1636	omsecor.exe	33
PID 1636 wrote to memory of 2324	1636	omsecor.exe	33
PID 1636 wrote to memory of 2324	1636	omsecor.exe	33
PID 1636 wrote to memory of 2324	1636	omsecor.exe	33
PID 1636 wrote to memory of 2324	1636	omsecor.exe	33
PID 2324 wrote to memory of 2940	2324	omsecor.exe	35
PID 2324 wrote to memory of 2940	2324	omsecor.exe	35
PID 2324 wrote to memory of 2940	2324	omsecor.exe	35
PID 2324 wrote to memory of 2940	2324	omsecor.exe	35
PID 2940 wrote to memory of 1176	2940	omsecor.exe	36
PID 2940 wrote to memory of 1176	2940	omsecor.exe	36
PID 2940 wrote to memory of 1176	2940	omsecor.exe	36
PID 2940 wrote to memory of 1176	2940	omsecor.exe	36
PID 2940 wrote to memory of 1176	2940	omsecor.exe	36
PID 2940 wrote to memory of 1176	2940	omsecor.exe	36
PID 1176 wrote to memory of 1900	1176	omsecor.exe	37
PID 1176 wrote to memory of 1900	1176	omsecor.exe	37
PID 1176 wrote to memory of 1900	1176	omsecor.exe	37
PID 1176 wrote to memory of 1900	1176	omsecor.exe	37
PID 1900 wrote to memory of 2984	1900	omsecor.exe	38
PID 1900 wrote to memory of 2984	1900	omsecor.exe	38
PID 1900 wrote to memory of 2984	1900	omsecor.exe	38
PID 1900 wrote to memory of 2984	1900	omsecor.exe	38
PID 1900 wrote to memory of 2984	1900	omsecor.exe	38
PID 1900 wrote to memory of 2984	1900	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe
"C:\Users\Admin\AppData\Local\Temp\19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe
  C:\Users\Admin\AppData\Local\Temp\19109267c40fdffcb60d1b0351989d4db980dac738831fbcffd0a421ad72a096.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ce26eb1fd17e208d0304cebb0fcdf16c

SHA1
dfb1e9334107fb835e88809f87754bee72f925e6

SHA256
928e1ef4a8ce5d314e1ead10bcb87c8516c78e2054cca08a8f9050cbc87337a3

SHA512
632be355a151413834f13f35ede2de941549e53807b59f0c50450a3bc1a1b15ff36fd76356447e8b3ab9d25d5837a3f837d3a05d1ab80ef021df2152e6f97e83

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c0ea5172d4a99b45d2fbb2fd3d5b6287

SHA1
f385ca80c5ee095e9bbae0df3785916c39af97bc

SHA256
a3c7111e6feff40a58175ba1daf19ec49179d6aed2fdd8443d37b92951304584

SHA512
b038da62eb477e3d97cae78b24320a840322c092e65583302329874389761b549029f20f8de984958374676b31ddff0e3595fd070e2f1bb9eaba5fbabe479c4c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
a381e2ace131a2a28d93c5bf0c8e3943

SHA1
6cc0cc4bee63ebd6ed047790023f8eaec8e259e7

SHA256
3d05b0a4f68343236e919ac5f0a6d36f112f65f3194d6c5ff8fa80cf9d1fe8d6

SHA512
0b8a72bb3cf3678d9ed660c571ea294520db1be2b0b9178c5b1eec3801a67e176251744b91ca9eba884eedcb9dfab849317c59057f8049255da79c5851ae50a8

Download Submit
memory/1636-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1636-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1636-26-0x0000000000260000-0x0000000000283000-memory.dmp

Filesize
140KB

Download
memory/1900-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1900-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2324-49-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/2324-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2324-57-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/2324-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2324-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2324-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2324-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2356-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2356-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2356-17-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2356-19-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2356-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2356-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2356-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2576-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2576-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2940-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2984-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download