neconyd | 0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
Size

96KB
MD5

c5061cb02f8a9fcac28699f7c5af3940
SHA1

b6a76e05979acb92f7c77e81104666f8b98ea78e
SHA256

0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839
SHA512

e00b41cb1ad5a2bfcf87af437d78ceb8258b4ab327a7ce44b868f5c791b88ed11af1e17bb8357a8a1c6110c5eba345376065a7945388f7a19800bfe297d40ce6
SSDEEP

1536:/nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:/Gs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2984	omsecor.exe
2188	omsecor.exe
3000	omsecor.exe
1944	omsecor.exe
1824	omsecor.exe
2068	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1524	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
1524	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
2984	omsecor.exe
2188	omsecor.exe
2188	omsecor.exe
1944	omsecor.exe
1944	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 1524	2364	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	31
PID 2984 set thread context of 2188	2984	omsecor.exe	33
PID 3000 set thread context of 1944	3000	omsecor.exe	36
PID 1824 set thread context of 2068	1824	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1524	2364	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	31
PID 2364 wrote to memory of 1524	2364	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	31
PID 2364 wrote to memory of 1524	2364	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	31
PID 2364 wrote to memory of 1524	2364	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	31
PID 2364 wrote to memory of 1524	2364	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	31
PID 2364 wrote to memory of 1524	2364	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	31
PID 1524 wrote to memory of 2984	1524	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	32
PID 1524 wrote to memory of 2984	1524	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	32
PID 1524 wrote to memory of 2984	1524	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	32
PID 1524 wrote to memory of 2984	1524	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	32
PID 2984 wrote to memory of 2188	2984	omsecor.exe	33
PID 2984 wrote to memory of 2188	2984	omsecor.exe	33
PID 2984 wrote to memory of 2188	2984	omsecor.exe	33
PID 2984 wrote to memory of 2188	2984	omsecor.exe	33
PID 2984 wrote to memory of 2188	2984	omsecor.exe	33
PID 2984 wrote to memory of 2188	2984	omsecor.exe	33
PID 2188 wrote to memory of 3000	2188	omsecor.exe	35
PID 2188 wrote to memory of 3000	2188	omsecor.exe	35
PID 2188 wrote to memory of 3000	2188	omsecor.exe	35
PID 2188 wrote to memory of 3000	2188	omsecor.exe	35
PID 3000 wrote to memory of 1944	3000	omsecor.exe	36
PID 3000 wrote to memory of 1944	3000	omsecor.exe	36
PID 3000 wrote to memory of 1944	3000	omsecor.exe	36
PID 3000 wrote to memory of 1944	3000	omsecor.exe	36
PID 3000 wrote to memory of 1944	3000	omsecor.exe	36
PID 3000 wrote to memory of 1944	3000	omsecor.exe	36
PID 1944 wrote to memory of 1824	1944	omsecor.exe	37
PID 1944 wrote to memory of 1824	1944	omsecor.exe	37
PID 1944 wrote to memory of 1824	1944	omsecor.exe	37
PID 1944 wrote to memory of 1824	1944	omsecor.exe	37
PID 1824 wrote to memory of 2068	1824	omsecor.exe	38
PID 1824 wrote to memory of 2068	1824	omsecor.exe	38
PID 1824 wrote to memory of 2068	1824	omsecor.exe	38
PID 1824 wrote to memory of 2068	1824	omsecor.exe	38
PID 1824 wrote to memory of 2068	1824	omsecor.exe	38
PID 1824 wrote to memory of 2068	1824	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
"C:\Users\Admin\AppData\Local\Temp\0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
  C:\Users\Admin\AppData\Local\Temp\0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1f6d1164d853e2b7d8105b844d3e7147

SHA1
33b7026ef4b95d5da015b48372c3b3480a53cea6

SHA256
1fe18aed95ed84c82052e4c62a7cf33e0c6904f8cfdafa833132d7069b6e81ee

SHA512
290f35b2422df3149eaba09d2baac57808b04704478d6213fb32d3f76c9a6f787b5a68a5ee439a96fdb495cee0499650276b02e8e650267cccafb0c192a247a9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0467cd6c63b85679373559d4297b446d

SHA1
84dc0c0e22c6e5756209e58b3f193523fd8ce4b6

SHA256
9c4a3cda862551e5b6ec9297c86c9cf194add886461e849caff647bbd84b39ae

SHA512
ec4b7e561a74a31ab43ef99d231867c69fd40df48f86eb9b7a5ca9f6aa87b89a0b2b14d814bd90a333297a0da35062394d3c139dac900b57e6d65d26f9d60ff2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
84e5387931ee8e7ea195272e41bc190d

SHA1
30754e0b219c57adb3cd42bb457fc0c8a9905272

SHA256
4950ac206503c6becffb217442573dfbb1c0c7dcbbd19fede603a29aa9775183

SHA512
43d49e6f22487f03e42c88bbb012231085a574ff1e51413fd922abb2aebc6a95a83e6ee425663baa7452a861bbc906f538baeb07807dac1148b77be896e93b6b

Download Submit
memory/1524-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1824-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1824-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1944-73-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/2068-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2188-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2188-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2188-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2188-55-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2188-53-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2188-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2188-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2364-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2984-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2984-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2984-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download