neconyd | c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972

Analysis

max time kernel
116s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe
Size

96KB
MD5

4d7565fd278b35592d7e4be90523b770
SHA1

fd9c3504f56ee5596f7249bed151ca87823f1b46
SHA256

c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972
SHA512

22f87d8fe9ed341165baf6a37f18163f9a9be06af7e491b269ef3ebe2a192c764ce5c992c4270e8b82878b68a062073f5c239836231adadb12c28db0218af15b
SSDEEP

1536:onAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:oGs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2680	omsecor.exe
2704	omsecor.exe
3068	omsecor.exe
1364	omsecor.exe
1480	omsecor.exe
1100	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2860	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe
2860	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe
2680	omsecor.exe
2704	omsecor.exe
2704	omsecor.exe
1364	omsecor.exe
1364	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 2860	1508	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe	31
PID 2680 set thread context of 2704	2680	omsecor.exe	33
PID 3068 set thread context of 1364	3068	omsecor.exe	37
PID 1480 set thread context of 1100	1480	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2860	1508	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe	31
PID 1508 wrote to memory of 2860	1508	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe	31
PID 1508 wrote to memory of 2860	1508	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe	31
PID 1508 wrote to memory of 2860	1508	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe	31
PID 1508 wrote to memory of 2860	1508	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe	31
PID 1508 wrote to memory of 2860	1508	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe	31
PID 2860 wrote to memory of 2680	2860	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe	32
PID 2860 wrote to memory of 2680	2860	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe	32
PID 2860 wrote to memory of 2680	2860	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe	32
PID 2860 wrote to memory of 2680	2860	c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe	32
PID 2680 wrote to memory of 2704	2680	omsecor.exe	33
PID 2680 wrote to memory of 2704	2680	omsecor.exe	33
PID 2680 wrote to memory of 2704	2680	omsecor.exe	33
PID 2680 wrote to memory of 2704	2680	omsecor.exe	33
PID 2680 wrote to memory of 2704	2680	omsecor.exe	33
PID 2680 wrote to memory of 2704	2680	omsecor.exe	33
PID 2704 wrote to memory of 3068	2704	omsecor.exe	36
PID 2704 wrote to memory of 3068	2704	omsecor.exe	36
PID 2704 wrote to memory of 3068	2704	omsecor.exe	36
PID 2704 wrote to memory of 3068	2704	omsecor.exe	36
PID 3068 wrote to memory of 1364	3068	omsecor.exe	37
PID 3068 wrote to memory of 1364	3068	omsecor.exe	37
PID 3068 wrote to memory of 1364	3068	omsecor.exe	37
PID 3068 wrote to memory of 1364	3068	omsecor.exe	37
PID 3068 wrote to memory of 1364	3068	omsecor.exe	37
PID 3068 wrote to memory of 1364	3068	omsecor.exe	37
PID 1364 wrote to memory of 1480	1364	omsecor.exe	38
PID 1364 wrote to memory of 1480	1364	omsecor.exe	38
PID 1364 wrote to memory of 1480	1364	omsecor.exe	38
PID 1364 wrote to memory of 1480	1364	omsecor.exe	38
PID 1480 wrote to memory of 1100	1480	omsecor.exe	39
PID 1480 wrote to memory of 1100	1480	omsecor.exe	39
PID 1480 wrote to memory of 1100	1480	omsecor.exe	39
PID 1480 wrote to memory of 1100	1480	omsecor.exe	39
PID 1480 wrote to memory of 1100	1480	omsecor.exe	39
PID 1480 wrote to memory of 1100	1480	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe
"C:\Users\Admin\AppData\Local\Temp\c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe
  C:\Users\Admin\AppData\Local\Temp\c51daafbafe4a8521bf2cb7fbf4550ff2c7ba0227b37ffca1741e8617c5da972N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ef73bc5e3724450dba2b1d7fc513089f

SHA1
968d4d257e6f46cd69969592410f1a1c6ba6cfbe

SHA256
a44ecf5df3e463ca53d5904c98474aae9930edf8506d6ab722e74697463e1454

SHA512
5a32cf142a31d648b572079829fa72edc9aee977d08f13ed1517684b11f78e9fbc1def12883c13a4aa66392e6e43f008007d0c5d01dac75b780b88eff9f5ddf5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
255e84d5cf056b064f89aa330494168e

SHA1
9400fdc94d16946f435c43bdf158dc999ddff8e8

SHA256
a1e33f66de925d7a89fde44912148b316762951239c453fc301b68999eb28e54

SHA512
dbae6e8b5a04bcd3f0d1836e4b45a42cd5214300c1ddbc5e9c634ad22e4d68a77fee36b1d8f02c1d99fe72947ea88f1aae0c2d80740b6bc7c3936fe296774477

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9e6a68c9ed24659e8e213d4aed0955e8

SHA1
edd070a0a681fbade927eb482cdc5a1312845025

SHA256
c4b9a5c4eb490d6187de3dda6d817cc4383867255f08bd40ef2c25d8e8b5234a

SHA512
8e2a4af2b65311e4d35784bba2d8768e4155b015a063e0d9651e192bbd5d4f06cf7c205a2c2d1a77728c837ecebde960fa532c7b6ad01718d0738ee2d66b99b8

Download Submit
memory/1100-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1364-70-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1480-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1480-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1508-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1508-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2680-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2680-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2704-47-0x0000000000320000-0x0000000000343000-memory.dmp

Filesize
140KB

Download
memory/2704-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2860-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2860-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2860-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2860-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2860-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download