neconyd | 7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8eb

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe
Size

96KB
MD5

bc3605cf527687ece09deda62011fe30
SHA1

17e76cae976757717c6f95ee80865852bc19dd47
SHA256

7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8eb
SHA512

769481f7c9784712b0348ac5d8a97eeaa59f1d23a754d86210eab3a233a498375f0fa629349d502c901737247d90b696e5f63ffa805d2cd14a775e816f09f51b
SSDEEP

1536:pnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:pGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2824	omsecor.exe
2684	omsecor.exe
1040	omsecor.exe
2084	omsecor.exe
2332	omsecor.exe
1132	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2144	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe
2144	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe
2824	omsecor.exe
2684	omsecor.exe
2684	omsecor.exe
2084	omsecor.exe
2084	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 2144	2644	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe	30
PID 2824 set thread context of 2684	2824	omsecor.exe	32
PID 1040 set thread context of 2084	1040	omsecor.exe	36
PID 2332 set thread context of 1132	2332	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2144	2644	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe	30
PID 2644 wrote to memory of 2144	2644	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe	30
PID 2644 wrote to memory of 2144	2644	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe	30
PID 2644 wrote to memory of 2144	2644	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe	30
PID 2644 wrote to memory of 2144	2644	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe	30
PID 2644 wrote to memory of 2144	2644	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe	30
PID 2144 wrote to memory of 2824	2144	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe	31
PID 2144 wrote to memory of 2824	2144	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe	31
PID 2144 wrote to memory of 2824	2144	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe	31
PID 2144 wrote to memory of 2824	2144	7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe	31
PID 2824 wrote to memory of 2684	2824	omsecor.exe	32
PID 2824 wrote to memory of 2684	2824	omsecor.exe	32
PID 2824 wrote to memory of 2684	2824	omsecor.exe	32
PID 2824 wrote to memory of 2684	2824	omsecor.exe	32
PID 2824 wrote to memory of 2684	2824	omsecor.exe	32
PID 2824 wrote to memory of 2684	2824	omsecor.exe	32
PID 2684 wrote to memory of 1040	2684	omsecor.exe	35
PID 2684 wrote to memory of 1040	2684	omsecor.exe	35
PID 2684 wrote to memory of 1040	2684	omsecor.exe	35
PID 2684 wrote to memory of 1040	2684	omsecor.exe	35
PID 1040 wrote to memory of 2084	1040	omsecor.exe	36
PID 1040 wrote to memory of 2084	1040	omsecor.exe	36
PID 1040 wrote to memory of 2084	1040	omsecor.exe	36
PID 1040 wrote to memory of 2084	1040	omsecor.exe	36
PID 1040 wrote to memory of 2084	1040	omsecor.exe	36
PID 1040 wrote to memory of 2084	1040	omsecor.exe	36
PID 2084 wrote to memory of 2332	2084	omsecor.exe	37
PID 2084 wrote to memory of 2332	2084	omsecor.exe	37
PID 2084 wrote to memory of 2332	2084	omsecor.exe	37
PID 2084 wrote to memory of 2332	2084	omsecor.exe	37
PID 2332 wrote to memory of 1132	2332	omsecor.exe	38
PID 2332 wrote to memory of 1132	2332	omsecor.exe	38
PID 2332 wrote to memory of 1132	2332	omsecor.exe	38
PID 2332 wrote to memory of 1132	2332	omsecor.exe	38
PID 2332 wrote to memory of 1132	2332	omsecor.exe	38
PID 2332 wrote to memory of 1132	2332	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe
"C:\Users\Admin\AppData\Local\Temp\7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe
  C:\Users\Admin\AppData\Local\Temp\7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0cb9f74c541b920fc018c7fbf3716dcb

SHA1
99458ce1855d7a90cc5bf90adaee4c2cfc523d8e

SHA256
1bef612b24fe5ea992ad9e9c9bcdf989c07083fa6adc0d3793deb5b02edd908f

SHA512
d01c737e03f860e5c3870f9a338c2061f1a70ed3591196d2238f45219d968a5bb42441618bc85f3e4c2ef6a918670d4bf1a7eb97f831cf49d1a80caee87460cb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ab308f7bcea922a5fedd15dfc63dba47

SHA1
e574da429f971626a96c0f043a03db499af581ca

SHA256
d9cdd77df03e4de0531aeedb802c58088309e12713bf7f5d4c5f575aab115d78

SHA512
f2973e9a2acd6dc0121059b879cbd0b439573ccf85e1046f38bbcd984ce3d4bb1319fc193e3ac8dcc76aec710716b28f8b0749ad0b416d1a1efb19c6a2677953

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
ca6474998e1da951c5f4549ed663e831

SHA1
0c7950dfe9cf8672b180888ae2069d69f659a791

SHA256
eed4935f930175e61d6a9207174d52923f16990c57a32b6cd4a62d69ba7124f0

SHA512
0410563a650e1b978e28916a67d953721ad021d8d564250aac88acbb2f967f224a2dfb48c3b284c05bb9193b533d3d817e2860dd82d53e8b80d64e152069af8e

Download Submit
memory/1040-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1132-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-70-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2144-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2144-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2332-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2644-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2644-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2684-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-46-0x0000000000530000-0x0000000000553000-memory.dmp

Filesize
140KB

Download
memory/2684-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2824-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2824-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download