neconyd | b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe
Size

96KB
MD5

bb3015f0deec5703b41f72f1801b7cb3
SHA1

2ae404f298b282bd26d6a6529cc18539f87c690a
SHA256

b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08
SHA512

05dee2ec3e405164b94d99d3a04db084bab07661b1c9266f6d788ea80995510998f4ea9752db52389f019f3ccfd14686f4ecbb8b361a8fe979b20203be93d8aa
SSDEEP

1536:onAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:oGs8cd8eXlYairZYqMddH13R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1956	omsecor.exe
2740	omsecor.exe
2364	omsecor.exe
2500	omsecor.exe
1492	omsecor.exe
2236	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1772	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe
1772	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe
1956	omsecor.exe
2740	omsecor.exe
2740	omsecor.exe
2500	omsecor.exe
2500	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 1772	2680	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe	30
PID 1956 set thread context of 2740	1956	omsecor.exe	32
PID 2364 set thread context of 2500	2364	omsecor.exe	36
PID 1492 set thread context of 2236	1492	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1772	2680	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe	30
PID 2680 wrote to memory of 1772	2680	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe	30
PID 2680 wrote to memory of 1772	2680	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe	30
PID 2680 wrote to memory of 1772	2680	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe	30
PID 2680 wrote to memory of 1772	2680	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe	30
PID 2680 wrote to memory of 1772	2680	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe	30
PID 1772 wrote to memory of 1956	1772	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe	31
PID 1772 wrote to memory of 1956	1772	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe	31
PID 1772 wrote to memory of 1956	1772	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe	31
PID 1772 wrote to memory of 1956	1772	b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe	31
PID 1956 wrote to memory of 2740	1956	omsecor.exe	32
PID 1956 wrote to memory of 2740	1956	omsecor.exe	32
PID 1956 wrote to memory of 2740	1956	omsecor.exe	32
PID 1956 wrote to memory of 2740	1956	omsecor.exe	32
PID 1956 wrote to memory of 2740	1956	omsecor.exe	32
PID 1956 wrote to memory of 2740	1956	omsecor.exe	32
PID 2740 wrote to memory of 2364	2740	omsecor.exe	35
PID 2740 wrote to memory of 2364	2740	omsecor.exe	35
PID 2740 wrote to memory of 2364	2740	omsecor.exe	35
PID 2740 wrote to memory of 2364	2740	omsecor.exe	35
PID 2364 wrote to memory of 2500	2364	omsecor.exe	36
PID 2364 wrote to memory of 2500	2364	omsecor.exe	36
PID 2364 wrote to memory of 2500	2364	omsecor.exe	36
PID 2364 wrote to memory of 2500	2364	omsecor.exe	36
PID 2364 wrote to memory of 2500	2364	omsecor.exe	36
PID 2364 wrote to memory of 2500	2364	omsecor.exe	36
PID 2500 wrote to memory of 1492	2500	omsecor.exe	37
PID 2500 wrote to memory of 1492	2500	omsecor.exe	37
PID 2500 wrote to memory of 1492	2500	omsecor.exe	37
PID 2500 wrote to memory of 1492	2500	omsecor.exe	37
PID 1492 wrote to memory of 2236	1492	omsecor.exe	38
PID 1492 wrote to memory of 2236	1492	omsecor.exe	38
PID 1492 wrote to memory of 2236	1492	omsecor.exe	38
PID 1492 wrote to memory of 2236	1492	omsecor.exe	38
PID 1492 wrote to memory of 2236	1492	omsecor.exe	38
PID 1492 wrote to memory of 2236	1492	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe
"C:\Users\Admin\AppData\Local\Temp\b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe
  C:\Users\Admin\AppData\Local\Temp\b93402cbc7cb95517482acf086b8aa8fc06edd8f10e199f86d500ee62e3bee08.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
dc835ad6065b8484aa9f94a6d6535a54

SHA1
26ae266988c2bf266a1a097d9ca045fa9e4ff501

SHA256
3c7c89d6d363dbc7a9ab86fa085e3f019ecfdb0922fe9ef233671e2b4531e422

SHA512
db1067b50b02bd1f5ca00e9412ccd4966062c4eef00a0f94f3205dc29a34fff885d7e709ccb7062797c6afc2042de61eea3824ffa83292c14bc930214dbb8fa3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4279cd13aaa02428c4189561297ee14a

SHA1
948752266d4ca80cc96e99b2d2528bce2f2bc1a0

SHA256
cd0c5cf42b093ccd61628ca32941247b6db44dca9a82dc555d8d060cbf932445

SHA512
d20b9c7b4e84bb62df27b7907cdebf418d5afc02ca0ae6beb10165d532ca6c8304ac52f80cac9c5c46a659def3402dfbfd22af559b48d3b733a9e4e60aca441e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
6b2585fdc2f2e703d78c78cead41a7b0

SHA1
e698aa68acd77567cfbcf5aa139d911740b35972

SHA256
3453f0b9e7b5e242d81e945968b82a4c070a279cf93cfd604e5392aaa89ace94

SHA512
f1671c22ad3bb88504d36b2ea6919695a914555fc2e3c4c14779af559fdb98991244501144007b386fd4448fee4b091d75b72d90fdf028e9277302b0306178e4

Download Submit
memory/1492-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1772-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1772-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1772-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1772-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1772-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1956-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2236-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2500-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2680-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2680-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2740-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2740-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2740-47-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2740-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2740-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2740-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download