neconyd | 93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
Size

96KB
MD5

7cf5710b6312198f6ba4c3c03656deb0
SHA1

043d29d59d239d30ddc7573df9bf7ce99d2d3369
SHA256

93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19
SHA512

77487984acede01d4c3fb74dbcbb097898ed351747c3b5173dbad9f763d7689f8cfed4ace9bd47d00e439325d166f61c032df1f279c5b2e955babd3bccbc6645
SSDEEP

1536:KnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:KGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1548	omsecor.exe
2064	omsecor.exe
1956	omsecor.exe
1572	omsecor.exe
1724	omsecor.exe
1704	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1660	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
1660	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
1548	omsecor.exe
2064	omsecor.exe
2064	omsecor.exe
1572	omsecor.exe
1572	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 1660	2336	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	30
PID 1548 set thread context of 2064	1548	omsecor.exe	32
PID 1956 set thread context of 1572	1956	omsecor.exe	36
PID 1724 set thread context of 1704	1724	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1660	2336	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	30
PID 2336 wrote to memory of 1660	2336	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	30
PID 2336 wrote to memory of 1660	2336	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	30
PID 2336 wrote to memory of 1660	2336	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	30
PID 2336 wrote to memory of 1660	2336	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	30
PID 2336 wrote to memory of 1660	2336	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	30
PID 1660 wrote to memory of 1548	1660	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	31
PID 1660 wrote to memory of 1548	1660	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	31
PID 1660 wrote to memory of 1548	1660	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	31
PID 1660 wrote to memory of 1548	1660	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	31
PID 1548 wrote to memory of 2064	1548	omsecor.exe	32
PID 1548 wrote to memory of 2064	1548	omsecor.exe	32
PID 1548 wrote to memory of 2064	1548	omsecor.exe	32
PID 1548 wrote to memory of 2064	1548	omsecor.exe	32
PID 1548 wrote to memory of 2064	1548	omsecor.exe	32
PID 1548 wrote to memory of 2064	1548	omsecor.exe	32
PID 2064 wrote to memory of 1956	2064	omsecor.exe	35
PID 2064 wrote to memory of 1956	2064	omsecor.exe	35
PID 2064 wrote to memory of 1956	2064	omsecor.exe	35
PID 2064 wrote to memory of 1956	2064	omsecor.exe	35
PID 1956 wrote to memory of 1572	1956	omsecor.exe	36
PID 1956 wrote to memory of 1572	1956	omsecor.exe	36
PID 1956 wrote to memory of 1572	1956	omsecor.exe	36
PID 1956 wrote to memory of 1572	1956	omsecor.exe	36
PID 1956 wrote to memory of 1572	1956	omsecor.exe	36
PID 1956 wrote to memory of 1572	1956	omsecor.exe	36
PID 1572 wrote to memory of 1724	1572	omsecor.exe	37
PID 1572 wrote to memory of 1724	1572	omsecor.exe	37
PID 1572 wrote to memory of 1724	1572	omsecor.exe	37
PID 1572 wrote to memory of 1724	1572	omsecor.exe	37
PID 1724 wrote to memory of 1704	1724	omsecor.exe	38
PID 1724 wrote to memory of 1704	1724	omsecor.exe	38
PID 1724 wrote to memory of 1704	1724	omsecor.exe	38
PID 1724 wrote to memory of 1704	1724	omsecor.exe	38
PID 1724 wrote to memory of 1704	1724	omsecor.exe	38
PID 1724 wrote to memory of 1704	1724	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
"C:\Users\Admin\AppData\Local\Temp\93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
  C:\Users\Admin\AppData\Local\Temp\93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7e8ca65ee1b577524e4e09cf5e899864

SHA1
c99a59ad46b22b11a55776306a83b790ea0a3adb

SHA256
fb630745f04e0e7481e3a695f116d242e3241a7c97cf03388a4c3fba67614f0e

SHA512
455f31537f77c1b29367200f4005d4da9c9439efbeb029bb6b554cd784b480490eff9faf0d5e472ac140cce08f9f76109874061f91c8bd241cded94eca538f1f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
bc26f80bbbc1e4125f022e6bceade6ae

SHA1
0c62e00b0ac480915faed1d2bceae2a8f52a988f

SHA256
32dc5935fcb1314ee38295cf4e68ca82842555e9b5f693461b71140f3c83a7be

SHA512
4cfcdb59771d9d4c21fc960b0a2550d201c7a7e456c16d6e5a9e54d6449c7632b8eb6c73865a58ce48e6581e7383dff20860730407c0db981b6cdfaeefca8967

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
220fcd58d212bace0b441e29c632ef42

SHA1
6c3894b8897da318501a0885cf37644ec7502599

SHA256
a6db75469460b4346ea699324ada70d3745b446a1e9110d56820f0153831d1a3

SHA512
6ac889e7b91cc25ebac267f4c63f64b5bee66cc65f80dcc1a3371b7017293cd2f793ec2633c71b389085f98aadba03f23c649ee87b72ddb1169ae1a81657c1bd

Download Submit
memory/1548-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1548-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1660-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1660-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1660-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1660-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1660-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1704-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1724-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1724-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1956-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1956-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2064-54-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2064-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2064-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2064-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2064-88-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2064-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download