neconyd | 17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9a

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe
Size

96KB
MD5

aa01c104f051dd346f3d7fb5d1963440
SHA1

1b8917f9c48e9efe31e6d3015d4a638d1372a5c0
SHA256

17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9a
SHA512

25d78535126338be97934e2425b163c7ca15d9218d03bb1f267fade9e0693ef4074c98413da28499840ca82173cae3f38687a6a626e56f6dd21f12a07b1f417d
SSDEEP

1536:pnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:pGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1788	omsecor.exe
2884	omsecor.exe
1328	omsecor.exe
1628	omsecor.exe
1920	omsecor.exe
1752	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2108	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe
2108	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe
1788	omsecor.exe
2884	omsecor.exe
2884	omsecor.exe
1628	omsecor.exe
1628	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 340 set thread context of 2108	340	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe	30
PID 1788 set thread context of 2884	1788	omsecor.exe	32
PID 1328 set thread context of 1628	1328	omsecor.exe	36
PID 1920 set thread context of 1752	1920	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 2108	340	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe	30
PID 340 wrote to memory of 2108	340	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe	30
PID 340 wrote to memory of 2108	340	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe	30
PID 340 wrote to memory of 2108	340	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe	30
PID 340 wrote to memory of 2108	340	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe	30
PID 340 wrote to memory of 2108	340	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe	30
PID 2108 wrote to memory of 1788	2108	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe	31
PID 2108 wrote to memory of 1788	2108	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe	31
PID 2108 wrote to memory of 1788	2108	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe	31
PID 2108 wrote to memory of 1788	2108	17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe	31
PID 1788 wrote to memory of 2884	1788	omsecor.exe	32
PID 1788 wrote to memory of 2884	1788	omsecor.exe	32
PID 1788 wrote to memory of 2884	1788	omsecor.exe	32
PID 1788 wrote to memory of 2884	1788	omsecor.exe	32
PID 1788 wrote to memory of 2884	1788	omsecor.exe	32
PID 1788 wrote to memory of 2884	1788	omsecor.exe	32
PID 2884 wrote to memory of 1328	2884	omsecor.exe	35
PID 2884 wrote to memory of 1328	2884	omsecor.exe	35
PID 2884 wrote to memory of 1328	2884	omsecor.exe	35
PID 2884 wrote to memory of 1328	2884	omsecor.exe	35
PID 1328 wrote to memory of 1628	1328	omsecor.exe	36
PID 1328 wrote to memory of 1628	1328	omsecor.exe	36
PID 1328 wrote to memory of 1628	1328	omsecor.exe	36
PID 1328 wrote to memory of 1628	1328	omsecor.exe	36
PID 1328 wrote to memory of 1628	1328	omsecor.exe	36
PID 1328 wrote to memory of 1628	1328	omsecor.exe	36
PID 1628 wrote to memory of 1920	1628	omsecor.exe	37
PID 1628 wrote to memory of 1920	1628	omsecor.exe	37
PID 1628 wrote to memory of 1920	1628	omsecor.exe	37
PID 1628 wrote to memory of 1920	1628	omsecor.exe	37
PID 1920 wrote to memory of 1752	1920	omsecor.exe	38
PID 1920 wrote to memory of 1752	1920	omsecor.exe	38
PID 1920 wrote to memory of 1752	1920	omsecor.exe	38
PID 1920 wrote to memory of 1752	1920	omsecor.exe	38
PID 1920 wrote to memory of 1752	1920	omsecor.exe	38
PID 1920 wrote to memory of 1752	1920	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe
"C:\Users\Admin\AppData\Local\Temp\17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:340
- C:\Users\Admin\AppData\Local\Temp\17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe
  C:\Users\Admin\AppData\Local\Temp\17f6caf955733500fa5eb7efeea47612ac0843c40807a93eda268aaa128ebd9aN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9e6e69f3a0542fc8c1dc0f8b0957d432

SHA1
f4896ba80880b39453bb0a8d10fb8de4fcf7040d

SHA256
5b59b9a3c20b96b825d27073408fb1ab8b5db90f697e1d79d572a95d42756c08

SHA512
58b1218b85849e138389bfdee64a0f2d7b4d8b9bd3c6e64703462cee0125ede11378b3893bb298c4ea4fbc5b736f98f7cf44c13de43587cde550c5c20729b293

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
be8649654021bfa1f1783a650976cb0d

SHA1
84812a48cf422f765937953e1e093344bba1972d

SHA256
92336a9f41c5fdc949a83efc52ef5621289cfe01b1475beed46f2fea0542354c

SHA512
7e395ab79812a738d509061997ffabe2f622062bb4c587c225953b7ed2f69bf3e73acbc8febad0f7481c16ef9900a1d70370f193e591320fa7a22328e754edb2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
1f2235f8bd5d10761cc81a3714513024

SHA1
31e7a2ba7863bfba3583b16ecc483a5e55f26c0d

SHA256
69e9fbdc6eedfa6342bee569ecfa6f4e2e095019b2d2d396fdfcb9a409c9bf4d

SHA512
e6df060d2a8697e554950171aa4cb0b003b9721a69d2ccda69b62a485ffa208bc8ddc7e57d6c34709954acdbb384b5ff7750430519dc0bf6765ff1d01b6062cd

Download Submit
memory/340-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/340-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1328-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1328-55-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1752-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1788-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1788-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1920-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1920-77-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2108-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2108-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2884-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2884-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2884-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2884-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2884-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download