neconyd | bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
Size

96KB
MD5

78218d41fd66e7e6cadd47af577f71e1
SHA1

aa8a7ded8287b189a1a6cf82fbce6f71b6bcd688
SHA256

bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88
SHA512

7ec64b25ef5db3a3070b663c4f46b87daa54a54624ceeda1644e09e8ba6cec2c45c7d7d02920d522ff8c1dadcc11e127f7eb4aecc9c03c1e1e182dd3e02539a3
SSDEEP

1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:zGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2440	omsecor.exe
2932	omsecor.exe
2324	omsecor.exe
2044	omsecor.exe
2000	omsecor.exe
1952	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2088	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
2088	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
2440	omsecor.exe
2932	omsecor.exe
2932	omsecor.exe
2044	omsecor.exe
2044	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 2088	2424	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	28
PID 2440 set thread context of 2932	2440	omsecor.exe	30
PID 2324 set thread context of 2044	2324	omsecor.exe	35
PID 2000 set thread context of 1952	2000	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2088	2424	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	28
PID 2424 wrote to memory of 2088	2424	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	28
PID 2424 wrote to memory of 2088	2424	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	28
PID 2424 wrote to memory of 2088	2424	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	28
PID 2424 wrote to memory of 2088	2424	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	28
PID 2424 wrote to memory of 2088	2424	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	28
PID 2088 wrote to memory of 2440	2088	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	29
PID 2088 wrote to memory of 2440	2088	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	29
PID 2088 wrote to memory of 2440	2088	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	29
PID 2088 wrote to memory of 2440	2088	bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe	29
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2932 wrote to memory of 2324	2932	omsecor.exe	34
PID 2932 wrote to memory of 2324	2932	omsecor.exe	34
PID 2932 wrote to memory of 2324	2932	omsecor.exe	34
PID 2932 wrote to memory of 2324	2932	omsecor.exe	34
PID 2324 wrote to memory of 2044	2324	omsecor.exe	35
PID 2324 wrote to memory of 2044	2324	omsecor.exe	35
PID 2324 wrote to memory of 2044	2324	omsecor.exe	35
PID 2324 wrote to memory of 2044	2324	omsecor.exe	35
PID 2324 wrote to memory of 2044	2324	omsecor.exe	35
PID 2324 wrote to memory of 2044	2324	omsecor.exe	35
PID 2044 wrote to memory of 2000	2044	omsecor.exe	36
PID 2044 wrote to memory of 2000	2044	omsecor.exe	36
PID 2044 wrote to memory of 2000	2044	omsecor.exe	36
PID 2044 wrote to memory of 2000	2044	omsecor.exe	36
PID 2000 wrote to memory of 1952	2000	omsecor.exe	37
PID 2000 wrote to memory of 1952	2000	omsecor.exe	37
PID 2000 wrote to memory of 1952	2000	omsecor.exe	37
PID 2000 wrote to memory of 1952	2000	omsecor.exe	37
PID 2000 wrote to memory of 1952	2000	omsecor.exe	37
PID 2000 wrote to memory of 1952	2000	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
"C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
  C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
eec076cdc82f43b08d721f79500c8074

SHA1
9a6a6d9faef3e11b970f4e14c47f84384c36fafc

SHA256
3041bd8a974b30bc48fe113ea23488d0a1fdaadaf2a95bbfd9fb0e4c6c97c7e5

SHA512
33f5c6fbeb43e7554c430a539bed59c6c763cd9106bc31e6d80414c11a1404f2b10514828073ad8233f4070b6766c9636b929fbc72dfab6561a2bd975c114a56

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d3aa46bd567e37662417067363e81e0e

SHA1
20bb540437704995c8d7d1b409d516a0dccf168b

SHA256
5607a65eb9e85b80ef25d0b7ab00fb2772f2618b844f177a98e86e3078cbbfae

SHA512
ecfe3627d96b011cd3f7f3f1b6b0358e518cb86685b12f175c8cb63d2d3c122c2567e673fbeae93183b766ce52f53a51835495b3f274f6cf82ab9da9945e4e18

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
1b0735316571d4c9ad9fd11314ee6413

SHA1
3ea541df3b7ae07036c69e2502d52fa09b1447cc

SHA256
53ff281698e7a5c0e0d8ee3017199a94c88aea236d0e70f2d65360b1c875c68b

SHA512
a2776bce3c374353d50666265590435a957740fc2affe60607a6e44ef98e81bd58b613cff5e115102e1d8d3e0bbc3c02cdcf3a2d8f8aa001e51db46562cb9192

Download Submit
memory/1952-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1952-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2000-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2088-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2324-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2324-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2424-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2424-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2424-8-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2440-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2440-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2932-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-47-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2932-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download