neconyd | ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe
Size

96KB
MD5

b59b72080e7876cbdce2a0d3421daa00
SHA1

52b65b37afe7dd6687b74d64d7b0aad38b9fe442
SHA256

ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248
SHA512

bd2289b4cb9d2ce70a2e690cda967086883722fb8cf3e7e2c1cfb612fcb08d6e6adb0f550739e5ee7cf4bda1925f999b8622ad1e275f7d561d2be347ad9b2214
SSDEEP

1536:pnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:pGs8cd8eXlYairZYqMddH13R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2480	omsecor.exe
1440	omsecor.exe
1692	omsecor.exe
2872	omsecor.exe
1936	omsecor.exe
1280	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1812	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe
1812	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe
2480	omsecor.exe
1440	omsecor.exe
1440	omsecor.exe
2872	omsecor.exe
2872	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 1812	1984	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe	31
PID 2480 set thread context of 1440	2480	omsecor.exe	33
PID 1692 set thread context of 2872	1692	omsecor.exe	37
PID 1936 set thread context of 1280	1936	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1812	1984	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe	31
PID 1984 wrote to memory of 1812	1984	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe	31
PID 1984 wrote to memory of 1812	1984	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe	31
PID 1984 wrote to memory of 1812	1984	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe	31
PID 1984 wrote to memory of 1812	1984	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe	31
PID 1984 wrote to memory of 1812	1984	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe	31
PID 1812 wrote to memory of 2480	1812	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe	32
PID 1812 wrote to memory of 2480	1812	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe	32
PID 1812 wrote to memory of 2480	1812	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe	32
PID 1812 wrote to memory of 2480	1812	ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe	32
PID 2480 wrote to memory of 1440	2480	omsecor.exe	33
PID 2480 wrote to memory of 1440	2480	omsecor.exe	33
PID 2480 wrote to memory of 1440	2480	omsecor.exe	33
PID 2480 wrote to memory of 1440	2480	omsecor.exe	33
PID 2480 wrote to memory of 1440	2480	omsecor.exe	33
PID 2480 wrote to memory of 1440	2480	omsecor.exe	33
PID 1440 wrote to memory of 1692	1440	omsecor.exe	36
PID 1440 wrote to memory of 1692	1440	omsecor.exe	36
PID 1440 wrote to memory of 1692	1440	omsecor.exe	36
PID 1440 wrote to memory of 1692	1440	omsecor.exe	36
PID 1692 wrote to memory of 2872	1692	omsecor.exe	37
PID 1692 wrote to memory of 2872	1692	omsecor.exe	37
PID 1692 wrote to memory of 2872	1692	omsecor.exe	37
PID 1692 wrote to memory of 2872	1692	omsecor.exe	37
PID 1692 wrote to memory of 2872	1692	omsecor.exe	37
PID 1692 wrote to memory of 2872	1692	omsecor.exe	37
PID 2872 wrote to memory of 1936	2872	omsecor.exe	38
PID 2872 wrote to memory of 1936	2872	omsecor.exe	38
PID 2872 wrote to memory of 1936	2872	omsecor.exe	38
PID 2872 wrote to memory of 1936	2872	omsecor.exe	38
PID 1936 wrote to memory of 1280	1936	omsecor.exe	39
PID 1936 wrote to memory of 1280	1936	omsecor.exe	39
PID 1936 wrote to memory of 1280	1936	omsecor.exe	39
PID 1936 wrote to memory of 1280	1936	omsecor.exe	39
PID 1936 wrote to memory of 1280	1936	omsecor.exe	39
PID 1936 wrote to memory of 1280	1936	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe
"C:\Users\Admin\AppData\Local\Temp\ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe
  C:\Users\Admin\AppData\Local\Temp\ba655344919a158eba14ec04bd7171c503b8b1229e96771c6d82e09e0a0b5248.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
08b11d8397bff0b1946992f3a73e2f32

SHA1
354c8603535a1116bbb9bb1549bd01f36168418c

SHA256
aff1962c067240ec722df9c1e4e3923c922f8f21dafd5925cfde6292318c75b7

SHA512
96118a4dd9d5809359e749fdb07fec87f12af039aca724373697480dce75679f0e3e99d4dd56df6915e6e9e1e00176cfa842ea93fb116ac62b620af9ee2cc753

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e7819423584a67bae6b779c833f0b541

SHA1
e06cb0029a8ab3ac948e9c4e35072da7bfb20dfd

SHA256
5a686924671bd291f935568072473f10108765d8ace0bd55353822c76239caf5

SHA512
bbfb72d85f0363263dbb111e27636a660b954afa1b51aaf5d4a31f53c22e3d494b14abdae84f8aaf2f37271fcfa571fea2c9323e184cd347d5469d8081aabf4a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
72c1dbc0633418000228ec854e6b667e

SHA1
6517d4a4dcfa32a26915b9b9f9e1a71c45aeb913

SHA256
df3203a5449c449118d73699fe55e345f13e1fdbe8ce286725d58561e3aab275

SHA512
f4b747e7d3a22b3b6ab03d7024a89311f47eb81a85f765cc7fb0ea54c3636ef65811a19c815ccdae2679b739a72e147e457994ec29e8d52c4259c35b7420db0c

Download Submit
memory/1280-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1440-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1440-53-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/1440-54-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/1440-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1440-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1440-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1440-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1692-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1692-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1812-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1812-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1812-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1812-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1812-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1812-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1936-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1936-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1984-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1984-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1984-3-0x0000000001C70000-0x0000000001C93000-memory.dmp

Filesize
140KB

Download
memory/2480-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2480-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2872-79-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2872-91-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download