neconyd | 2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
Size

96KB
MD5

d32121b969165044095b640f838947d2
SHA1

52aeab88ac91baff20f05e1c95af834e6e9cd759
SHA256

2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923
SHA512

919e74d5598a2ea958fd97d4f4d28105f744cd4df7c19d4740b58830eb05313785629c5845249c1884bd41c89af19834fb84bb1dfeb2a615b351f7fb2cafa986
SSDEEP

1536:mnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:mGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2416	omsecor.exe
2556	omsecor.exe
1680	omsecor.exe
1912	omsecor.exe
2140	omsecor.exe
1244	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2056	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
2056	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
2416	omsecor.exe
2556	omsecor.exe
2556	omsecor.exe
1912	omsecor.exe
1912	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2652 set thread context of 2056	2652	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	31
PID 2416 set thread context of 2556	2416	omsecor.exe	33
PID 1680 set thread context of 1912	1680	omsecor.exe	37
PID 2140 set thread context of 1244	2140	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2056	2652	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	31
PID 2652 wrote to memory of 2056	2652	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	31
PID 2652 wrote to memory of 2056	2652	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	31
PID 2652 wrote to memory of 2056	2652	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	31
PID 2652 wrote to memory of 2056	2652	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	31
PID 2652 wrote to memory of 2056	2652	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	31
PID 2056 wrote to memory of 2416	2056	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	32
PID 2056 wrote to memory of 2416	2056	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	32
PID 2056 wrote to memory of 2416	2056	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	32
PID 2056 wrote to memory of 2416	2056	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	32
PID 2416 wrote to memory of 2556	2416	omsecor.exe	33
PID 2416 wrote to memory of 2556	2416	omsecor.exe	33
PID 2416 wrote to memory of 2556	2416	omsecor.exe	33
PID 2416 wrote to memory of 2556	2416	omsecor.exe	33
PID 2416 wrote to memory of 2556	2416	omsecor.exe	33
PID 2416 wrote to memory of 2556	2416	omsecor.exe	33
PID 2556 wrote to memory of 1680	2556	omsecor.exe	36
PID 2556 wrote to memory of 1680	2556	omsecor.exe	36
PID 2556 wrote to memory of 1680	2556	omsecor.exe	36
PID 2556 wrote to memory of 1680	2556	omsecor.exe	36
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1912 wrote to memory of 2140	1912	omsecor.exe	38
PID 1912 wrote to memory of 2140	1912	omsecor.exe	38
PID 1912 wrote to memory of 2140	1912	omsecor.exe	38
PID 1912 wrote to memory of 2140	1912	omsecor.exe	38
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
"C:\Users\Admin\AppData\Local\Temp\2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
  C:\Users\Admin\AppData\Local\Temp\2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
97ac1e6fc0ce16c0b5c3ca68f6601da5

SHA1
40b2c0d2e78bc5504f5d67c06061bb2e7fbcd08d

SHA256
1db06e47cb44c9a8d2d658a8a9edff46f1e2521ca6c4737789bf8b492f20b16a

SHA512
4ac7d1beb6d60c366b5e13dddc6593db128301fe3376018fcf31db496e2011336d2265ee8d568c4224e79d9a7bff15980f807b36fda9d0e2a5f88048aad96b16

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c2ad8912877c94791815c5973e499088

SHA1
9f8066d82dcb5863b877a8ddf42988ec29158e84

SHA256
bdbcaec5a8272fb3535449c44ee4b947ac6afbb315a1002c136cd0839c1732d0

SHA512
31b21f69d51b37c647f7694019450af0354d46204860fa46329e060f9f0c699cd16a7524f783c12e2eda68d3a63cea48c6de8773d6148aa41f8b180a99a85110

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
22a95d3f085b5dab5c3126b45ff6ea61

SHA1
ab3e133c2f23e1dfd3136fdac06a244a45026830

SHA256
c06c309d69a729b22e07762ad1e5b9a415166e72db1b71f3b41bdc51c3e65e85

SHA512
e63070d7bc581d295e9f66b17588f3c8d31e012a880bd455a818630cb594276fa9a99754bab02fefa83e3451dcb6f1e837b9392e4d0f39f9f56730c2afc78109

Download Submit
memory/1244-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1680-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1680-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1912-75-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/2056-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2056-14-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2056-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2056-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2056-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2140-83-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2416-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2416-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2416-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2556-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-56-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2556-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-55-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2556-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2652-36-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2652-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download