neconyd | 052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06

Analysis

max time kernel
120s
max time network
99s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe
Size

96KB
MD5

58d33f08933a68fe8dfd857b5bd6434f
SHA1

601fa23dc75c0299947078f922a0cbe01873c7b8
SHA256

052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06
SHA512

dc84bcbf573b6688593f0de80d606c461aef94d276a1fb50f7c6ce10f6af0a851568798de2e41112988d8d22c255c62b0dfe770a75884d2ca7a61f945ec1fc9e
SSDEEP

1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx5:EGs8cd8eXlYairZYqMddH135

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2440	omsecor.exe
2932	omsecor.exe
640	omsecor.exe
1528	omsecor.exe
2468	omsecor.exe
1992	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1500	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe
1500	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe
2440	omsecor.exe
2932	omsecor.exe
2932	omsecor.exe
1528	omsecor.exe
1528	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 1500	2424	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe	28
PID 2440 set thread context of 2932	2440	omsecor.exe	30
PID 640 set thread context of 1528	640	omsecor.exe	35
PID 2468 set thread context of 1992	2468	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1500	2424	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe	28
PID 2424 wrote to memory of 1500	2424	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe	28
PID 2424 wrote to memory of 1500	2424	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe	28
PID 2424 wrote to memory of 1500	2424	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe	28
PID 2424 wrote to memory of 1500	2424	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe	28
PID 2424 wrote to memory of 1500	2424	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe	28
PID 1500 wrote to memory of 2440	1500	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe	29
PID 1500 wrote to memory of 2440	1500	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe	29
PID 1500 wrote to memory of 2440	1500	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe	29
PID 1500 wrote to memory of 2440	1500	052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe	29
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2440 wrote to memory of 2932	2440	omsecor.exe	30
PID 2932 wrote to memory of 640	2932	omsecor.exe	34
PID 2932 wrote to memory of 640	2932	omsecor.exe	34
PID 2932 wrote to memory of 640	2932	omsecor.exe	34
PID 2932 wrote to memory of 640	2932	omsecor.exe	34
PID 640 wrote to memory of 1528	640	omsecor.exe	35
PID 640 wrote to memory of 1528	640	omsecor.exe	35
PID 640 wrote to memory of 1528	640	omsecor.exe	35
PID 640 wrote to memory of 1528	640	omsecor.exe	35
PID 640 wrote to memory of 1528	640	omsecor.exe	35
PID 640 wrote to memory of 1528	640	omsecor.exe	35
PID 1528 wrote to memory of 2468	1528	omsecor.exe	36
PID 1528 wrote to memory of 2468	1528	omsecor.exe	36
PID 1528 wrote to memory of 2468	1528	omsecor.exe	36
PID 1528 wrote to memory of 2468	1528	omsecor.exe	36
PID 2468 wrote to memory of 1992	2468	omsecor.exe	37
PID 2468 wrote to memory of 1992	2468	omsecor.exe	37
PID 2468 wrote to memory of 1992	2468	omsecor.exe	37
PID 2468 wrote to memory of 1992	2468	omsecor.exe	37
PID 2468 wrote to memory of 1992	2468	omsecor.exe	37
PID 2468 wrote to memory of 1992	2468	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe
"C:\Users\Admin\AppData\Local\Temp\052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe
  C:\Users\Admin\AppData\Local\Temp\052ef64189e37ac9f33da3c6e411a866343eb8a944c5db25e29d97e75f32ce06.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
04e44493ed919f309eb9765da15b8163

SHA1
b3bb70e8bf85255f585a01dba7bc7a317d76307a

SHA256
9cad8fca8f3d6992128a01cb84e2a594edf8efc839268cd96b33cd6e1ad2619b

SHA512
fb5bc21d84df5926acd40f095bd96959135f182823c579fae06ab0d5ad5b42f8a0eb2f1868c7afb68f8bf014f6b97498ed8c504bbec446644e10c78876169408

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
609bdd4322b008405299f0bc3519957a

SHA1
a958ebbd5ac89dc2155bdbb0fa953f66f418bd3e

SHA256
24c5038063e1127cb330631eb164dcda622b43fbe394e1dd8f13054b92d73083

SHA512
c10cf9f56973147fc3cd3a9a5fc1dc1044f2180d230ed71609bbebb9545791ec9807d2374ba7870e55c3567a8b0cf1068ad50f0626817b2cc99f509815bdc5c8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
ef2b4c0812298d964949b69ca4ebac0e

SHA1
ebe7d70493c326325c31898dbff8152611953573

SHA256
671a24f5761f7faea3a7c14057d6945d95ecda138fbc30d1ae90c8f84cde9e76

SHA512
f92a80e9f674d40fa5e8f9f9117adc61c435ee9430d6fff39d31a9d9149d9ff98442258b5f0fa03657e9123d75583e4bb346cb7c37ded341ea8934bb48598346

Download Submit
memory/640-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1500-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1500-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1500-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1500-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1500-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2424-1-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2424-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2440-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2440-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2468-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2468-77-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2932-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-46-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2932-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download