neconyd | bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
Size

96KB
MD5

78218d41fd66e7e6cadd47af577f71e1
SHA1

aa8a7ded8287b189a1a6cf82fbce6f71b6bcd688
SHA256

bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88
SHA512

7ec64b25ef5db3a3070b663c4f46b87daa54a54624ceeda1644e09e8ba6cec2c45c7d7d02920d522ff8c1dadcc11e127f7eb4aecc9c03c1e1e182dd3e02539a3
SSDEEP

1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:zGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2804	omsecor.exe
2796	omsecor.exe
484	omsecor.exe
340	omsecor.exe
2064	omsecor.exe
2404	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2724	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
2724	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
2804	omsecor.exe
2796	omsecor.exe
2796	omsecor.exe
340	omsecor.exe
340	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 2724	1804	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	31
PID 2804 set thread context of 2796	2804	omsecor.exe	33
PID 484 set thread context of 340	484	omsecor.exe	37
PID 2064 set thread context of 2404	2064	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2724	1804	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	31
PID 1804 wrote to memory of 2724	1804	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	31
PID 1804 wrote to memory of 2724	1804	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	31
PID 1804 wrote to memory of 2724	1804	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	31
PID 1804 wrote to memory of 2724	1804	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	31
PID 1804 wrote to memory of 2724	1804	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	31
PID 2724 wrote to memory of 2804	2724	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	32
PID 2724 wrote to memory of 2804	2724	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	32
PID 2724 wrote to memory of 2804	2724	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	32
PID 2724 wrote to memory of 2804	2724	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	32
PID 2804 wrote to memory of 2796	2804	omsecor.exe	33
PID 2804 wrote to memory of 2796	2804	omsecor.exe	33
PID 2804 wrote to memory of 2796	2804	omsecor.exe	33
PID 2804 wrote to memory of 2796	2804	omsecor.exe	33
PID 2804 wrote to memory of 2796	2804	omsecor.exe	33
PID 2804 wrote to memory of 2796	2804	omsecor.exe	33
PID 2796 wrote to memory of 484	2796	omsecor.exe	36
PID 2796 wrote to memory of 484	2796	omsecor.exe	36
PID 2796 wrote to memory of 484	2796	omsecor.exe	36
PID 2796 wrote to memory of 484	2796	omsecor.exe	36
PID 484 wrote to memory of 340	484	omsecor.exe	37
PID 484 wrote to memory of 340	484	omsecor.exe	37
PID 484 wrote to memory of 340	484	omsecor.exe	37
PID 484 wrote to memory of 340	484	omsecor.exe	37
PID 484 wrote to memory of 340	484	omsecor.exe	37
PID 484 wrote to memory of 340	484	omsecor.exe	37
PID 340 wrote to memory of 2064	340	omsecor.exe	38
PID 340 wrote to memory of 2064	340	omsecor.exe	38
PID 340 wrote to memory of 2064	340	omsecor.exe	38
PID 340 wrote to memory of 2064	340	omsecor.exe	38
PID 2064 wrote to memory of 2404	2064	omsecor.exe	39
PID 2064 wrote to memory of 2404	2064	omsecor.exe	39
PID 2064 wrote to memory of 2404	2064	omsecor.exe	39
PID 2064 wrote to memory of 2404	2064	omsecor.exe	39
PID 2064 wrote to memory of 2404	2064	omsecor.exe	39
PID 2064 wrote to memory of 2404	2064	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
"C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
  C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:484
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
eec076cdc82f43b08d721f79500c8074

SHA1
9a6a6d9faef3e11b970f4e14c47f84384c36fafc

SHA256
3041bd8a974b30bc48fe113ea23488d0a1fdaadaf2a95bbfd9fb0e4c6c97c7e5

SHA512
33f5c6fbeb43e7554c430a539bed59c6c763cd9106bc31e6d80414c11a1404f2b10514828073ad8233f4070b6766c9636b929fbc72dfab6561a2bd975c114a56

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
197c7d22266523d60d5a9df44bcbb716

SHA1
c2883e2afb48b01eea7e1c3913b7a329f755c843

SHA256
2e87ac7a9714faac37b2e6e536f993081bca8fc6673e42cf9d2450b09981a016

SHA512
78dbd747ed55963e19c37c96bc67d6290250389d841dc6865335ef995e72c83ace9043ffaddf4166a2aa061064e360ab4678e23eea3b16203202817c658f246a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
cedd4c385ec4c6ce4df36c592c2f34bd

SHA1
8d27f900a36494d3acff28975a485e1debe85b44

SHA256
5bd7996736023f2b4be56c0889cb6a7cc103a4c29e7a3718a5c74d661788503f

SHA512
6f3b844d639a2b9e798ceadfd99d569056a8484dec11907e3094a5fd7f3e1b8a08402ac32d9cbe543228b3d0e2bdcb9415a64ed8f7a3983a0013124710dea3dc

Download Submit
memory/340-73-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/484-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/484-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1804-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1804-8-0x0000000001C60000-0x0000000001C83000-memory.dmp

Filesize
140KB

Download
memory/1804-36-0x0000000001C60000-0x0000000001C83000-memory.dmp

Filesize
140KB

Download
memory/1804-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-82-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2404-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-95-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2796-49-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2796-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2796-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2796-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2796-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2796-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2804-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2804-25-0x0000000000260000-0x0000000000283000-memory.dmp

Filesize
140KB

Download
memory/2804-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download