neconyd | ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe
Size

96KB
MD5

4bd59731fc24d9c116fcda0149fb02ff
SHA1

f6acf67de9b320a883cbe2412a1cd6e80ab79359
SHA256

ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da
SHA512

bfc0e28509c9a3affeb865674bee67f7c775a1624b8905dae0486b72e2b379922edbfbce43e681ffe1e68c50eee03d9b3319eb27dc559a8bc5e002c96db4db9f
SSDEEP

1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:EGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2920	omsecor.exe
2840	omsecor.exe
1836	omsecor.exe
760	omsecor.exe
480	omsecor.exe
2152	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2720	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe
2720	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe
2920	omsecor.exe
2840	omsecor.exe
2840	omsecor.exe
760	omsecor.exe
760	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2656 set thread context of 2720	2656	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe	30
PID 2920 set thread context of 2840	2920	omsecor.exe	32
PID 1836 set thread context of 760	1836	omsecor.exe	35
PID 480 set thread context of 2152	480	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2720	2656	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe	30
PID 2656 wrote to memory of 2720	2656	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe	30
PID 2656 wrote to memory of 2720	2656	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe	30
PID 2656 wrote to memory of 2720	2656	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe	30
PID 2656 wrote to memory of 2720	2656	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe	30
PID 2656 wrote to memory of 2720	2656	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe	30
PID 2720 wrote to memory of 2920	2720	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe	31
PID 2720 wrote to memory of 2920	2720	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe	31
PID 2720 wrote to memory of 2920	2720	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe	31
PID 2720 wrote to memory of 2920	2720	ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe	31
PID 2920 wrote to memory of 2840	2920	omsecor.exe	32
PID 2920 wrote to memory of 2840	2920	omsecor.exe	32
PID 2920 wrote to memory of 2840	2920	omsecor.exe	32
PID 2920 wrote to memory of 2840	2920	omsecor.exe	32
PID 2920 wrote to memory of 2840	2920	omsecor.exe	32
PID 2920 wrote to memory of 2840	2920	omsecor.exe	32
PID 2840 wrote to memory of 1836	2840	omsecor.exe	34
PID 2840 wrote to memory of 1836	2840	omsecor.exe	34
PID 2840 wrote to memory of 1836	2840	omsecor.exe	34
PID 2840 wrote to memory of 1836	2840	omsecor.exe	34
PID 1836 wrote to memory of 760	1836	omsecor.exe	35
PID 1836 wrote to memory of 760	1836	omsecor.exe	35
PID 1836 wrote to memory of 760	1836	omsecor.exe	35
PID 1836 wrote to memory of 760	1836	omsecor.exe	35
PID 1836 wrote to memory of 760	1836	omsecor.exe	35
PID 1836 wrote to memory of 760	1836	omsecor.exe	35
PID 760 wrote to memory of 480	760	omsecor.exe	36
PID 760 wrote to memory of 480	760	omsecor.exe	36
PID 760 wrote to memory of 480	760	omsecor.exe	36
PID 760 wrote to memory of 480	760	omsecor.exe	36
PID 480 wrote to memory of 2152	480	omsecor.exe	37
PID 480 wrote to memory of 2152	480	omsecor.exe	37
PID 480 wrote to memory of 2152	480	omsecor.exe	37
PID 480 wrote to memory of 2152	480	omsecor.exe	37
PID 480 wrote to memory of 2152	480	omsecor.exe	37
PID 480 wrote to memory of 2152	480	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe
"C:\Users\Admin\AppData\Local\Temp\ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe
  C:\Users\Admin\AppData\Local\Temp\ab668982bfab822a30cfc77c78ec0b77069f89278e2c89cafc2a8ba1657165da.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8f764a08255e4f2c37fc23c1a8512ea0

SHA1
6eb198f9fdd0c70bacb3e2a69514446fa9dd87fc

SHA256
3b8fb1279c02aaae3f193897064b193a77413796c7b1e53abf38298ae7afc398

SHA512
030bf9d58974693cb35d3484cba0060afe9dcb5aa16e3ffafd2f39761293d1ca8964d6dd9062a8a663041757de06cd878d9a935b3ed582f10088f4284d5ee8e2

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
eadbdd995b65fde194bde2de3f3ac707

SHA1
3242fbc22359f97f5345d0ce84336609ac9eff04

SHA256
ed2ebacf6c5349af8f7659fce21a7ac3b4a0a5d16eb5df9aeb928d607241319c

SHA512
71ceb852af958c282d82da94fd28fcb73185c0248fb8730fc81cc090d1e5a913e5299263fb1f5aab41dcc7dde292dfdab163744ec0a6b96e59d835622de7be20

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b4d56d17ff2743425aa1d56a4f8b2a37

SHA1
1297a67d45e365307e18feb44a8825600df8fab3

SHA256
2331dce1a13691c85196aff2f63ec56310fa2beba9315375058cb0500a173267

SHA512
5b397e43555af9bc70e1879929112c32bc62a07d13229c50c2a12affb08c617f43435a867e0a745727ba42e4396e9e3dc7cee6254ba9c89a13e3393fadb26ade

Download Submit
memory/480-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/480-82-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/760-80-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/760-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1836-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1836-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2152-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2656-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2656-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2720-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-14-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/2720-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-49-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/2840-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2920-30-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2920-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2920-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download