neconyd | 9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780e

Analysis

max time kernel
116s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
Size

134KB
MD5

acd5d87e072e2b397b32af9114ca7e60
SHA1

2df8835eb662dfa19af62d7bebfe042ef5e9ff62
SHA256

9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780e
SHA512

309ee57f5c28455aad2acf00720bbcf9b97947ab0434c18175b8fbd81546e31fcfef29cb7f0ec68947f83fa4b5aa3f5e4748279546a0ed717d92fbaa1bf46d8b
SSDEEP

1536:ADfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiH:2iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2824	omsecor.exe
2696	omsecor.exe
2756	omsecor.exe
464	omsecor.exe
1756	omsecor.exe
2516	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2888	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
2888	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
2824	omsecor.exe
2696	omsecor.exe
2696	omsecor.exe
464	omsecor.exe
464	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 2888	3064	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	30
PID 2824 set thread context of 2696	2824	omsecor.exe	32
PID 2756 set thread context of 464	2756	omsecor.exe	36
PID 1756 set thread context of 2516	1756	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2888	3064	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	30
PID 3064 wrote to memory of 2888	3064	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	30
PID 3064 wrote to memory of 2888	3064	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	30
PID 3064 wrote to memory of 2888	3064	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	30
PID 3064 wrote to memory of 2888	3064	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	30
PID 3064 wrote to memory of 2888	3064	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	30
PID 2888 wrote to memory of 2824	2888	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	31
PID 2888 wrote to memory of 2824	2888	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	31
PID 2888 wrote to memory of 2824	2888	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	31
PID 2888 wrote to memory of 2824	2888	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	31
PID 2824 wrote to memory of 2696	2824	omsecor.exe	32
PID 2824 wrote to memory of 2696	2824	omsecor.exe	32
PID 2824 wrote to memory of 2696	2824	omsecor.exe	32
PID 2824 wrote to memory of 2696	2824	omsecor.exe	32
PID 2824 wrote to memory of 2696	2824	omsecor.exe	32
PID 2824 wrote to memory of 2696	2824	omsecor.exe	32
PID 2696 wrote to memory of 2756	2696	omsecor.exe	35
PID 2696 wrote to memory of 2756	2696	omsecor.exe	35
PID 2696 wrote to memory of 2756	2696	omsecor.exe	35
PID 2696 wrote to memory of 2756	2696	omsecor.exe	35
PID 2756 wrote to memory of 464	2756	omsecor.exe	36
PID 2756 wrote to memory of 464	2756	omsecor.exe	36
PID 2756 wrote to memory of 464	2756	omsecor.exe	36
PID 2756 wrote to memory of 464	2756	omsecor.exe	36
PID 2756 wrote to memory of 464	2756	omsecor.exe	36
PID 2756 wrote to memory of 464	2756	omsecor.exe	36
PID 464 wrote to memory of 1756	464	omsecor.exe	37
PID 464 wrote to memory of 1756	464	omsecor.exe	37
PID 464 wrote to memory of 1756	464	omsecor.exe	37
PID 464 wrote to memory of 1756	464	omsecor.exe	37
PID 1756 wrote to memory of 2516	1756	omsecor.exe	38
PID 1756 wrote to memory of 2516	1756	omsecor.exe	38
PID 1756 wrote to memory of 2516	1756	omsecor.exe	38
PID 1756 wrote to memory of 2516	1756	omsecor.exe	38
PID 1756 wrote to memory of 2516	1756	omsecor.exe	38
PID 1756 wrote to memory of 2516	1756	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
"C:\Users\Admin\AppData\Local\Temp\9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
  C:\Users\Admin\AppData\Local\Temp\9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
5ce68c76263d053570d82c464d614efb

SHA1
d7eee01a17e897412e626c97cc0c8f5696562cc1

SHA256
ad1a630e2f4e71590b2c4a48c3fd03844c9475f8112d0aa2aa7ffca20dd5ac88

SHA512
78f3d9a815802f4a602173940dbb237f00870834376c8af5ce180df28f8129fcf6dd447afc6e95a3ade3dffcdfea06cd6ee044048e6207b4f221d4c8d5d799aa

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
531de0a3a03e0863a0f1ba6c9a11465d

SHA1
da806fa775ca3479a9ddb34cfe35e82e628b9349

SHA256
372301680c59346411a57431c371f42a2db7c548b60314e2c375777e96250816

SHA512
277a92e22da2ccad37061fae8c809aa00fb859c10a816465c857dd01a1d470a2a671498f5d5de78365711afd43b33b077c85d23ef6598111ebbf9cf25eefc679

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
103bb021e2b519d0b7d9d83d3eaaa4f4

SHA1
037668052a0d9e1bf85693e4951b5628bf782eed

SHA256
9e6e764a6c3a2a3d7eb72e27383eaefbabb3d295069665ffad3ea800463d7c50

SHA512
95ba231adc1ac6926f2bbe487022a18b99b8c5b527acda159d1d102c5683afc3f6f51bc72dec75e69e8aec0fc266e6c826d02121031921da11e8243f66d5a8de

Download Submit
memory/464-68-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/1756-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2516-84-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-44-0x00000000002E0000-0x0000000000304000-memory.dmp

Filesize
144KB

Download
memory/2696-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2756-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2824-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2824-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2888-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2888-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2888-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2888-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3064-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download