neconyd | f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
Size

96KB
MD5

7fa334ca092185026c561dec6da7dad6
SHA1

0f7851a603baa80f6864b2e3f6ce99b2e6f0fff8
SHA256

f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505
SHA512

2f582f853952635d9a4a2a9376c000d538db2784a5de9712f12a68c25df9aaaf72e27d0e8457349b01a377b252bf9e576457549a5ca76a7257b8f0833f799472
SSDEEP

1536:enAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:eGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2344	omsecor.exe
2992	omsecor.exe
1572	omsecor.exe
2108	omsecor.exe
1736	omsecor.exe
1180	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2748	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
2748	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
2344	omsecor.exe
2992	omsecor.exe
2992	omsecor.exe
2108	omsecor.exe
2108	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2748	2700	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	31
PID 2344 set thread context of 2992	2344	omsecor.exe	33
PID 1572 set thread context of 2108	1572	omsecor.exe	37
PID 1736 set thread context of 1180	1736	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2748	2700	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	31
PID 2700 wrote to memory of 2748	2700	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	31
PID 2700 wrote to memory of 2748	2700	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	31
PID 2700 wrote to memory of 2748	2700	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	31
PID 2700 wrote to memory of 2748	2700	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	31
PID 2700 wrote to memory of 2748	2700	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	31
PID 2748 wrote to memory of 2344	2748	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	32
PID 2748 wrote to memory of 2344	2748	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	32
PID 2748 wrote to memory of 2344	2748	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	32
PID 2748 wrote to memory of 2344	2748	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	32
PID 2344 wrote to memory of 2992	2344	omsecor.exe	33
PID 2344 wrote to memory of 2992	2344	omsecor.exe	33
PID 2344 wrote to memory of 2992	2344	omsecor.exe	33
PID 2344 wrote to memory of 2992	2344	omsecor.exe	33
PID 2344 wrote to memory of 2992	2344	omsecor.exe	33
PID 2344 wrote to memory of 2992	2344	omsecor.exe	33
PID 2992 wrote to memory of 1572	2992	omsecor.exe	36
PID 2992 wrote to memory of 1572	2992	omsecor.exe	36
PID 2992 wrote to memory of 1572	2992	omsecor.exe	36
PID 2992 wrote to memory of 1572	2992	omsecor.exe	36
PID 1572 wrote to memory of 2108	1572	omsecor.exe	37
PID 1572 wrote to memory of 2108	1572	omsecor.exe	37
PID 1572 wrote to memory of 2108	1572	omsecor.exe	37
PID 1572 wrote to memory of 2108	1572	omsecor.exe	37
PID 1572 wrote to memory of 2108	1572	omsecor.exe	37
PID 1572 wrote to memory of 2108	1572	omsecor.exe	37
PID 2108 wrote to memory of 1736	2108	omsecor.exe	38
PID 2108 wrote to memory of 1736	2108	omsecor.exe	38
PID 2108 wrote to memory of 1736	2108	omsecor.exe	38
PID 2108 wrote to memory of 1736	2108	omsecor.exe	38
PID 1736 wrote to memory of 1180	1736	omsecor.exe	39
PID 1736 wrote to memory of 1180	1736	omsecor.exe	39
PID 1736 wrote to memory of 1180	1736	omsecor.exe	39
PID 1736 wrote to memory of 1180	1736	omsecor.exe	39
PID 1736 wrote to memory of 1180	1736	omsecor.exe	39
PID 1736 wrote to memory of 1180	1736	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
"C:\Users\Admin\AppData\Local\Temp\f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
  C:\Users\Admin\AppData\Local\Temp\f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
13c16dcfc64db649ace3fa15b63e300d

SHA1
177a7a5aca8e34d584ffa672ff36d257c22e0d63

SHA256
2df1b3119be5bc9f7c897e9b9c845381050fe162daf11660551447400c0149b9

SHA512
b0024d7615464ca48b6c500fb60120a3cc381840d4a9e3ba64fb78df25f9b6397a7b5dac94beaa2a0c6e9d67d277be32676168dfa1fc76c3c4ed6a0a34a93e33

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9947a1cfed8fe30b7656932d3fbaa84f

SHA1
e476057eebf96fee6c8966eb6472458b7fb95668

SHA256
74d6c78d9e9568336472aedb52245e780ef1ca7c081d2daa43ddf9089b3ca7e1

SHA512
5b7ecda269748ad3916a8b679fe3de3126f1e8007b4da39a31ac3d30f4c7e681e0448f51cf09e98d41bb9f333e401db503f9d04817a020b2e21b0b1cc3084884

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9682f59c0243fdd70a369243562ba71b

SHA1
9380f4d5606e08044a21b62947678440323d4b1d

SHA256
602a60700b3cda06700928b63765b57bc77743c85f67c357580af15fee199367

SHA512
25a16b5879af974229c4d890c7d373bbe387f3a505809cff9b53d6f2563a06829c3ba3dba72eca93f7c9ddf1c4223ca6355661c4e1e38aa88b02a0c5259bdf4e

Download Submit
memory/1180-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1572-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1572-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1736-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1736-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2108-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2344-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2344-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2700-1-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/2700-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2700-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2748-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-47-0x0000000000780000-0x00000000007A3000-memory.dmp

Filesize
140KB

Download
memory/2992-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download