neconyd | a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
Size

96KB
MD5

c709c8f097c6705265411c7a8b92f632
SHA1

57b68849fd4871d5779dcca7c5cea0e34d69c14b
SHA256

a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece
SHA512

ca334b1714464066cd7cb3e956aeeed5d76d84cd3f86e54dc6307ee6f45f44dd636fef673f643e0489cfa13d49df6a4678df016401ff000eae93f6eda80aee6b
SSDEEP

1536:pnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:pGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2988	omsecor.exe
2192	omsecor.exe
2608	omsecor.exe
2020	omsecor.exe
1304	omsecor.exe
2500	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1608	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
1608	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
2988	omsecor.exe
2192	omsecor.exe
2192	omsecor.exe
2020	omsecor.exe
2020	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 1608	2708	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	31
PID 2988 set thread context of 2192	2988	omsecor.exe	33
PID 2608 set thread context of 2020	2608	omsecor.exe	36
PID 1304 set thread context of 2500	1304	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 1608	2708	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	31
PID 2708 wrote to memory of 1608	2708	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	31
PID 2708 wrote to memory of 1608	2708	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	31
PID 2708 wrote to memory of 1608	2708	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	31
PID 2708 wrote to memory of 1608	2708	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	31
PID 2708 wrote to memory of 1608	2708	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	31
PID 1608 wrote to memory of 2988	1608	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	32
PID 1608 wrote to memory of 2988	1608	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	32
PID 1608 wrote to memory of 2988	1608	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	32
PID 1608 wrote to memory of 2988	1608	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	32
PID 2988 wrote to memory of 2192	2988	omsecor.exe	33
PID 2988 wrote to memory of 2192	2988	omsecor.exe	33
PID 2988 wrote to memory of 2192	2988	omsecor.exe	33
PID 2988 wrote to memory of 2192	2988	omsecor.exe	33
PID 2988 wrote to memory of 2192	2988	omsecor.exe	33
PID 2988 wrote to memory of 2192	2988	omsecor.exe	33
PID 2192 wrote to memory of 2608	2192	omsecor.exe	35
PID 2192 wrote to memory of 2608	2192	omsecor.exe	35
PID 2192 wrote to memory of 2608	2192	omsecor.exe	35
PID 2192 wrote to memory of 2608	2192	omsecor.exe	35
PID 2608 wrote to memory of 2020	2608	omsecor.exe	36
PID 2608 wrote to memory of 2020	2608	omsecor.exe	36
PID 2608 wrote to memory of 2020	2608	omsecor.exe	36
PID 2608 wrote to memory of 2020	2608	omsecor.exe	36
PID 2608 wrote to memory of 2020	2608	omsecor.exe	36
PID 2608 wrote to memory of 2020	2608	omsecor.exe	36
PID 2020 wrote to memory of 1304	2020	omsecor.exe	37
PID 2020 wrote to memory of 1304	2020	omsecor.exe	37
PID 2020 wrote to memory of 1304	2020	omsecor.exe	37
PID 2020 wrote to memory of 1304	2020	omsecor.exe	37
PID 1304 wrote to memory of 2500	1304	omsecor.exe	38
PID 1304 wrote to memory of 2500	1304	omsecor.exe	38
PID 1304 wrote to memory of 2500	1304	omsecor.exe	38
PID 1304 wrote to memory of 2500	1304	omsecor.exe	38
PID 1304 wrote to memory of 2500	1304	omsecor.exe	38
PID 1304 wrote to memory of 2500	1304	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
"C:\Users\Admin\AppData\Local\Temp\a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
  C:\Users\Admin\AppData\Local\Temp\a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
49a30a6dc3b7aadd95ee9246e463ffea

SHA1
26f1aa0530a93266d52fc0122bbe58f328197b71

SHA256
78b35f4cb2633f125332ad0dc3afb3b8c145a7234d7731b20fd894645ccc478c

SHA512
05974872823bb57cbf64cd2f5faab605e14383fab0c38f8d3c6de10835c07de201a9eee3d8f4d0808443fc4e372bb5faaa772953771b83501634e9c30f28ebc8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
598a2154a4c155426a40964a6292a64d

SHA1
37b5cf64695027fdd87b6e00a1de4f8e8e9bbebe

SHA256
319437626b85acb6eff4dbc514fe27772bf3f238c6cbee3d99cc46e281e4f522

SHA512
f8222d4d6624f8c12142c7a3da55308c25815a235f83d59c78767ad0a6698eeb37af773cbd185c8aa56f4e8dd67893c6650c8d865bbeecfcbc7d5915e9e0444d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9d13b9d6a6bbceb7242cac2bf1188a3f

SHA1
aa1f58a6462891abd6421e74c4b0789725c18e9f

SHA256
b252462a17122235a7ffd565f255bb31ca7383defa75035d3fafe2497609841b

SHA512
26cc77007115404c4921d7d6111c14bf34f605f2823ad04e3462de1387c65942f6069a56ec16047ff53d7f755a9ee19cd10ce40981302ab24ee7729a1a529921

Download Submit
memory/1304-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1304-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1608-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1608-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1608-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1608-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1608-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-72-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2192-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-55-0x00000000022D0000-0x00000000022F3000-memory.dmp

Filesize
140KB

Download
memory/2192-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-48-0x00000000022D0000-0x00000000022F3000-memory.dmp

Filesize
140KB

Download
memory/2192-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2608-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2708-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2708-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2988-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2988-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2988-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download