neconyd | f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe
Size

96KB
MD5

b31153cf408fccc14297b6f43e514640
SHA1

085eeae4d04bf3a083e4984a65dadd732ab5c2a3
SHA256

f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87
SHA512

0707d619f1bce898564b39c6fcbb9cb544890a27b74f6baff6e9a4d1d6aadfde00f621f09681791039d2a13f337b45a88ec60bbcd6d226f6fb9918b9173e18b2
SSDEEP

1536:lnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:lGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2424	omsecor.exe
2384	omsecor.exe
2852	omsecor.exe
1496	omsecor.exe
2096	omsecor.exe
2136	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2064	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe
2064	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe
2424	omsecor.exe
2384	omsecor.exe
2384	omsecor.exe
1496	omsecor.exe
1496	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2064	2324	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe	31
PID 2424 set thread context of 2384	2424	omsecor.exe	33
PID 2852 set thread context of 1496	2852	omsecor.exe	36
PID 2096 set thread context of 2136	2096	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2064	2324	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe	31
PID 2324 wrote to memory of 2064	2324	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe	31
PID 2324 wrote to memory of 2064	2324	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe	31
PID 2324 wrote to memory of 2064	2324	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe	31
PID 2324 wrote to memory of 2064	2324	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe	31
PID 2324 wrote to memory of 2064	2324	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe	31
PID 2064 wrote to memory of 2424	2064	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe	32
PID 2064 wrote to memory of 2424	2064	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe	32
PID 2064 wrote to memory of 2424	2064	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe	32
PID 2064 wrote to memory of 2424	2064	f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe	32
PID 2424 wrote to memory of 2384	2424	omsecor.exe	33
PID 2424 wrote to memory of 2384	2424	omsecor.exe	33
PID 2424 wrote to memory of 2384	2424	omsecor.exe	33
PID 2424 wrote to memory of 2384	2424	omsecor.exe	33
PID 2424 wrote to memory of 2384	2424	omsecor.exe	33
PID 2424 wrote to memory of 2384	2424	omsecor.exe	33
PID 2384 wrote to memory of 2852	2384	omsecor.exe	35
PID 2384 wrote to memory of 2852	2384	omsecor.exe	35
PID 2384 wrote to memory of 2852	2384	omsecor.exe	35
PID 2384 wrote to memory of 2852	2384	omsecor.exe	35
PID 2852 wrote to memory of 1496	2852	omsecor.exe	36
PID 2852 wrote to memory of 1496	2852	omsecor.exe	36
PID 2852 wrote to memory of 1496	2852	omsecor.exe	36
PID 2852 wrote to memory of 1496	2852	omsecor.exe	36
PID 2852 wrote to memory of 1496	2852	omsecor.exe	36
PID 2852 wrote to memory of 1496	2852	omsecor.exe	36
PID 1496 wrote to memory of 2096	1496	omsecor.exe	37
PID 1496 wrote to memory of 2096	1496	omsecor.exe	37
PID 1496 wrote to memory of 2096	1496	omsecor.exe	37
PID 1496 wrote to memory of 2096	1496	omsecor.exe	37
PID 2096 wrote to memory of 2136	2096	omsecor.exe	38
PID 2096 wrote to memory of 2136	2096	omsecor.exe	38
PID 2096 wrote to memory of 2136	2096	omsecor.exe	38
PID 2096 wrote to memory of 2136	2096	omsecor.exe	38
PID 2096 wrote to memory of 2136	2096	omsecor.exe	38
PID 2096 wrote to memory of 2136	2096	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe
"C:\Users\Admin\AppData\Local\Temp\f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe
  C:\Users\Admin\AppData\Local\Temp\f3eb9e4768684f44ab5dd8bc53d7c960ffb8a1403500aac361bc68daa2f95a87N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
747e770aa0d155bef88d67b3e6a9782b

SHA1
85cf8d34488e9611d5b21a4f74074c127e79aa10

SHA256
1a5bb84a544f98ce01402ebbd8eb018f4a526bc45899ccc1f18f0023ef1c8342

SHA512
82cd2d4faa174f55f9897ddde80b8d29437bc99c219c7f123e40af5c3c4030007f107ef23725b952473c3fd6e50b3d32bc84fe338d459b5b91b56faaeca7fbca

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
2b56ab9f7ba4bc1f5d4c634e2712adb4

SHA1
261f4dffc03872d454eb824648c5f6c1211e0b07

SHA256
e884c372e169c2b955d81ea814386e7a7fa163e846e112cad32e5554221391bd

SHA512
973c2da3d4391dd85cc12d7a4a2116f29b93d6db8393ccc8e8a74c89809f6259752a0acd545f7c8628101ab353195392bc3aba78ed3dc379182585e4988b6cc0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
0695aae838fe7fb5fbfa5d3390ff1dec

SHA1
5a24587fcbd40afbabd87e0e153296c14548e198

SHA256
3a79ea43208c60c97d038984480434cabbf058b4157f7b91c2960b8740b971d7

SHA512
a4c1d936531a5d672772789dec99ca02b14513b76547991d768cf934c9d8342342bbc697f19318215419b9a8428d46a9561ec8ff20781759ba440f20209599aa

Download Submit
memory/1496-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2064-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2064-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2064-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2064-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2064-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2096-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2136-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2324-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2324-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2384-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2384-47-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2384-53-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2384-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2384-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2384-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2384-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2424-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download