neconyd | 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86

Analysis

max time kernel
115s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe
Size

96KB
MD5

f89d8b35e56a6926f3c5d25275bc8910
SHA1

099635ff50bfe326939885dbb18e6e49ffecd519
SHA256

5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86
SHA512

f1170e262bddfefb3681c5acfd9b6458ad4385719700739e5280ee861223ea25e41ecb09ce215c61ddd254af4215599c532a7f4bd313049bd4af6a0cfe9f4522
SSDEEP

1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:EGs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2784	omsecor.exe
2340	omsecor.exe
1240	omsecor.exe
1684	omsecor.exe
2164	omsecor.exe
2196	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2656	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe
2656	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe
2784	omsecor.exe
2340	omsecor.exe
2340	omsecor.exe
1684	omsecor.exe
1684	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 2656	2736	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe	30
PID 2784 set thread context of 2340	2784	omsecor.exe	32
PID 1240 set thread context of 1684	1240	omsecor.exe	35
PID 2164 set thread context of 2196	2164	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2656	2736	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe	30
PID 2736 wrote to memory of 2656	2736	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe	30
PID 2736 wrote to memory of 2656	2736	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe	30
PID 2736 wrote to memory of 2656	2736	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe	30
PID 2736 wrote to memory of 2656	2736	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe	30
PID 2736 wrote to memory of 2656	2736	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe	30
PID 2656 wrote to memory of 2784	2656	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe	31
PID 2656 wrote to memory of 2784	2656	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe	31
PID 2656 wrote to memory of 2784	2656	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe	31
PID 2656 wrote to memory of 2784	2656	5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe	31
PID 2784 wrote to memory of 2340	2784	omsecor.exe	32
PID 2784 wrote to memory of 2340	2784	omsecor.exe	32
PID 2784 wrote to memory of 2340	2784	omsecor.exe	32
PID 2784 wrote to memory of 2340	2784	omsecor.exe	32
PID 2784 wrote to memory of 2340	2784	omsecor.exe	32
PID 2784 wrote to memory of 2340	2784	omsecor.exe	32
PID 2340 wrote to memory of 1240	2340	omsecor.exe	34
PID 2340 wrote to memory of 1240	2340	omsecor.exe	34
PID 2340 wrote to memory of 1240	2340	omsecor.exe	34
PID 2340 wrote to memory of 1240	2340	omsecor.exe	34
PID 1240 wrote to memory of 1684	1240	omsecor.exe	35
PID 1240 wrote to memory of 1684	1240	omsecor.exe	35
PID 1240 wrote to memory of 1684	1240	omsecor.exe	35
PID 1240 wrote to memory of 1684	1240	omsecor.exe	35
PID 1240 wrote to memory of 1684	1240	omsecor.exe	35
PID 1240 wrote to memory of 1684	1240	omsecor.exe	35
PID 1684 wrote to memory of 2164	1684	omsecor.exe	36
PID 1684 wrote to memory of 2164	1684	omsecor.exe	36
PID 1684 wrote to memory of 2164	1684	omsecor.exe	36
PID 1684 wrote to memory of 2164	1684	omsecor.exe	36
PID 2164 wrote to memory of 2196	2164	omsecor.exe	37
PID 2164 wrote to memory of 2196	2164	omsecor.exe	37
PID 2164 wrote to memory of 2196	2164	omsecor.exe	37
PID 2164 wrote to memory of 2196	2164	omsecor.exe	37
PID 2164 wrote to memory of 2196	2164	omsecor.exe	37
PID 2164 wrote to memory of 2196	2164	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe
"C:\Users\Admin\AppData\Local\Temp\5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe
  C:\Users\Admin\AppData\Local\Temp\5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e2c6c323b01a2c066d6aa28234e3b001

SHA1
dd34d0348aa0e6833bdd104db6004bc03dfd5221

SHA256
20135628e2cf16d154bf8863e4118432718137b81f97d888e4c4bed9a9dc8d28

SHA512
9bb99cc75d3ecabd53db8d5a56b1604f2b322e1b1d8ffab3b206e67f30b469f5e74e47857c8722131b81a46143e8c213d824c5a3884143c1fca26e6e1e5c4851

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
26c76e581e0b97a91763fb37f98b0675

SHA1
f1066ba3945368eb59b5fb2bfa9355f3268f28b9

SHA256
fd50c9fdf10674fbbdecffc5b051d660172b9e1c6bee9c4a894d4e010418c61e

SHA512
46c1607ea4978d91b2a7f5ceb37c0b8ceae7dca43c28d95e62083c4216fd248bb7da25b864285dfc545453ee96b4fe03de90ec52fac3daedef61f935501d55c2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f059a444287599a46b492812ef9df121

SHA1
64d618df24916bbb0c3ceca5c8dfc30e9bd02cbb

SHA256
19580ade83615a60b9df5f3bc6e95efaf794f83aa29b95093f06dc98666e6bf2

SHA512
b004d7a9bbe728e66c9ee7f3850003cfdc5988a5a9a3080cd90227d53b054e3c899527da0af69d149570e20c890afec24e4abb10061a6c2e470f4fc433984dbd

Download Submit
memory/1240-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1240-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1684-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2164-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-52-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/2340-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2656-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2656-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2656-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2656-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download