neconyd | 7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799a

General

Target

7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe
Size

76KB
MD5

69283bb5bc570089d169328e822ac0e0
SHA1

f124019a4ccd967b4a91dafce59097ef6d845850
SHA256

7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799a
SHA512

14306466426455e85d9805d509a89c5809c836a87607742b0bea83873831736544ded10e2779f808185cf8d976be2f999093fc5643e0616858b1c64c0447333b
SSDEEP

1536:Xd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11H:fdseIOMEZEyFjEOFqaiQm5l/5w11H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2968	omsecor.exe
2900	omsecor.exe
1388	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2952	7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe
2952	7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe
2968	omsecor.exe
2968	omsecor.exe
2900	omsecor.exe
2900	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2968	2952	7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe	30
PID 2952 wrote to memory of 2968	2952	7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe	30
PID 2952 wrote to memory of 2968	2952	7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe	30
PID 2952 wrote to memory of 2968	2952	7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe	30
PID 2968 wrote to memory of 2900	2968	omsecor.exe	33
PID 2968 wrote to memory of 2900	2968	omsecor.exe	33
PID 2968 wrote to memory of 2900	2968	omsecor.exe	33
PID 2968 wrote to memory of 2900	2968	omsecor.exe	33
PID 2900 wrote to memory of 1388	2900	omsecor.exe	34
PID 2900 wrote to memory of 1388	2900	omsecor.exe	34
PID 2900 wrote to memory of 1388	2900	omsecor.exe	34
PID 2900 wrote to memory of 1388	2900	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe
"C:\Users\Admin\AppData\Local\Temp\7221f5495948d5f28e42a280b0a92a6c8f407052615be38f88019a78ddf4799aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1388

Network

DNS

lousta.net

omsecor.exe

Remote address:

8.8.8.8:53

Request

lousta.net

IN A

Response

lousta.net

IN A

193.166.255.171
DNS

lousta.net

omsecor.exe

Remote address:

8.8.8.8:53

Request

lousta.net

IN A
DNS

mkkuei4kdsz.com

omsecor.exe

Remote address:

8.8.8.8:53

Request

mkkuei4kdsz.com

IN A

Response

mkkuei4kdsz.com

IN A

3.33.243.145

mkkuei4kdsz.com

IN A

15.197.204.56
GET

http://mkkuei4kdsz.com/650/806.html

omsecor.exe

Remote address:

3.33.243.145:80

Request

GET /650/806.html HTTP/1.1
From: 133810941512746000
Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?423/_mcz?52ed84`b32gf`7h/cg4bh18d.ee4c4dg
Host: mkkuei4kdsz.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

content-type: text/html
date: Sat, 11 Jan 2025 18:37:08 GMT
content-length: 114
DNS

ow5dirasuek.com

omsecor.exe

Remote address:

8.8.8.8:53

Request

ow5dirasuek.com

IN A

Response

ow5dirasuek.com

IN A

52.34.198.229
DNS

ow5dirasuek.com

omsecor.exe

Remote address:

8.8.8.8:53

Request

ow5dirasuek.com

IN A
GET

http://ow5dirasuek.com/64/320.html

omsecor.exe

Remote address:

52.34.198.229:80

Request

GET /64/320.html HTTP/1.1
From: 133810941512746000
Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?423/_mcz?52ed84`b32gf`7h/cg4bh18d.ee4c4dg
Host: ow5dirasuek.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 11 Jan 2025 18:37:19 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=a5794eaffd188e0ebf0b3aa64d19f0f8|181.215.176.83|1736620639|1736620639|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

193.166.255.171:80

lousta.net

omsecor.exe

152 B
3
193.166.255.171:80

lousta.net

omsecor.exe

152 B
3
3.33.243.145:80

http://mkkuei4kdsz.com/650/806.html

http

omsecor.exe

804 B
640 B
9
5

HTTP Request

GET http://mkkuei4kdsz.com/650/806.html

HTTP Response

200
52.34.198.229:80

http://ow5dirasuek.com/64/320.html

http

omsecor.exe

420 B
623 B
5
5

HTTP Request

GET http://ow5dirasuek.com/64/320.html

HTTP Response

200
193.166.255.171:80

lousta.net

omsecor.exe

152 B
3

8.8.8.8:53

lousta.net

dns

omsecor.exe

112 B
72 B
2
1

DNS Request

lousta.net

DNS Request

lousta.net

DNS Response

193.166.255.171
8.8.8.8:53

mkkuei4kdsz.com

dns

omsecor.exe

61 B
93 B
1
1

DNS Request

mkkuei4kdsz.com

DNS Response

3.33.243.145

15.197.204.56
8.8.8.8:53

ow5dirasuek.com

dns

omsecor.exe

122 B
77 B
2
1

DNS Request

ow5dirasuek.com

DNS Request

ow5dirasuek.com

DNS Response

52.34.198.229

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
754f7742e64098569ee4c4d15fdccb84

SHA1
6fe048c9d1ed5337b1b65cd0f641a71eeda9c1dd

SHA256
5eefff4b213b342ced4d42b1748700c0682b3f30d27d38d406b731980f19e7cd

SHA512
a8ac38f30108740edc1df7a1fc690111112dc1191b92a26b5c69d07cbe86f706b9cc8c6ee5b845a93b69e9355aa2b3e321ba1d481a4e4754c16ccab7e32a9331

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
e44b191f899af00f8103c6ab5b43e178

SHA1
d8a7b33da76624145bcc790c3baa8557f22cd4a3

SHA256
7f724bdf3b2da8ed56f32b90adb248d8e61ae4b635c521e780c059790af5b1a9

SHA512
9f6003d8e683ede2e07fc5a8c4cf1f6aeef4fb2894df583c0217785fe697ab2e381fdabfa5cae1d7f93f8e126f03378533ded6ac25405e529ab0183983803622

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
a32f73533ccae41a62459ae7fcca875f

SHA1
7ded7d3e048700fa43de034a19ac00f8d4485b4e

SHA256
ce869721df9edd07af3235048b80b51559f6be0581a5cc3d6c966a4c28541217

SHA512
ea5e73c992e438a416728114bbef681a359fbcb8b3317d7ab9548dff49bc4c7f016de7a635c7625c26cab97360b7fcc6f6754c1f846922572b858167829735a9

Download Submit
memory/1388-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1388-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2900-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2900-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2900-36-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2900-35-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2952-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2952-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2952-4-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2968-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-19-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/2968-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.