neconyd | 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/01/2025, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
Size

96KB
MD5

702d7d818e2b3e5661a7c61433a20118
SHA1

1ffe06c9db1e8178806bfe02e971b17b261f7abc
SHA256

0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833
SHA512

7fa4b86a390a0a658f5f95edce7d731375cb36bdb9dde4bb4230441e83c51260c59c84b6c6291de8a0e6026c5f65c356244205943ef588cb2067550b79da8124
SSDEEP

1536:HnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:HGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2360	omsecor.exe
2968	omsecor.exe
1908	omsecor.exe
2016	omsecor.exe
1852	omsecor.exe
2952	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2148	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
2148	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
2360	omsecor.exe
2968	omsecor.exe
2968	omsecor.exe
2016	omsecor.exe
2016	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2372 set thread context of 2148	2372	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe	30
PID 2360 set thread context of 2968	2360	omsecor.exe	32
PID 1908 set thread context of 2016	1908	omsecor.exe	36
PID 1852 set thread context of 2952	1852	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2148	2372	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe	30
PID 2372 wrote to memory of 2148	2372	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe	30
PID 2372 wrote to memory of 2148	2372	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe	30
PID 2372 wrote to memory of 2148	2372	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe	30
PID 2372 wrote to memory of 2148	2372	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe	30
PID 2372 wrote to memory of 2148	2372	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe	30
PID 2148 wrote to memory of 2360	2148	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe	31
PID 2148 wrote to memory of 2360	2148	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe	31
PID 2148 wrote to memory of 2360	2148	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe	31
PID 2148 wrote to memory of 2360	2148	0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe	31
PID 2360 wrote to memory of 2968	2360	omsecor.exe	32
PID 2360 wrote to memory of 2968	2360	omsecor.exe	32
PID 2360 wrote to memory of 2968	2360	omsecor.exe	32
PID 2360 wrote to memory of 2968	2360	omsecor.exe	32
PID 2360 wrote to memory of 2968	2360	omsecor.exe	32
PID 2360 wrote to memory of 2968	2360	omsecor.exe	32
PID 2968 wrote to memory of 1908	2968	omsecor.exe	35
PID 2968 wrote to memory of 1908	2968	omsecor.exe	35
PID 2968 wrote to memory of 1908	2968	omsecor.exe	35
PID 2968 wrote to memory of 1908	2968	omsecor.exe	35
PID 1908 wrote to memory of 2016	1908	omsecor.exe	36
PID 1908 wrote to memory of 2016	1908	omsecor.exe	36
PID 1908 wrote to memory of 2016	1908	omsecor.exe	36
PID 1908 wrote to memory of 2016	1908	omsecor.exe	36
PID 1908 wrote to memory of 2016	1908	omsecor.exe	36
PID 1908 wrote to memory of 2016	1908	omsecor.exe	36
PID 2016 wrote to memory of 1852	2016	omsecor.exe	37
PID 2016 wrote to memory of 1852	2016	omsecor.exe	37
PID 2016 wrote to memory of 1852	2016	omsecor.exe	37
PID 2016 wrote to memory of 1852	2016	omsecor.exe	37
PID 1852 wrote to memory of 2952	1852	omsecor.exe	38
PID 1852 wrote to memory of 2952	1852	omsecor.exe	38
PID 1852 wrote to memory of 2952	1852	omsecor.exe	38
PID 1852 wrote to memory of 2952	1852	omsecor.exe	38
PID 1852 wrote to memory of 2952	1852	omsecor.exe	38
PID 1852 wrote to memory of 2952	1852	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
"C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
  C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ae753e5386a5755c298250f922a62d8a

SHA1
75aee149c21d4df745f170fa8d67522a8b97ca23

SHA256
aca3f9808ede1d037dbbe66d98a556c2844821b2405d92ef290f033fcf77d22d

SHA512
a8b01c55bd1d5e2703544141bced2cd430234e082719b9428628b2cc4e8e4053cc0ebef7244d9d61f1a1797ded3c53aaa8760d1603ef933710c2930dcde9824b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
21d18d1e8d0d191947a83157bca1727c

SHA1
3baad5fa032d7e502b9b1783e74ce465c1b19afc

SHA256
8012f3bf195a8529a2275248abc3e710ea80749b0df31cfddae0140e554426c6

SHA512
0aee8b92989daede5cf361dd2b92ac44ef7e6bdfc0e469b1a6b946c03971b2b134cd145290338bd52871565b46c54256d41938efcfec1d9d9d0c49ec2eb391d4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d3b930c87d9ce38d03e57136321aa0fe

SHA1
5dd56fd50c61ebb42f3db2a33b45327c9b915abc

SHA256
83eff4662c6decae57a74ffc840883e6c116a5987e0566d73b583b7eab85bb63

SHA512
f71e933c38c164056b52626c8cb615f2a0e35dd2cc3945f812235b14daa79f77ad587bda167e003cac82433dfe3adca88cbc510b4aee1bcc10e3aebd99160e66

Download Submit
memory/1852-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1852-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1908-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1908-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2148-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2148-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-20-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2148-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2360-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2360-25-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2372-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2952-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-55-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2968-56-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2968-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download