neconyd | 215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7

Analysis

max time kernel
114s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
Size

96KB
MD5

44a4e8ddd0b8c71b3f53fd7d5dfb4548
SHA1

bffb2df54ec99b095237c3e85ab92b187c7a3701
SHA256

215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7
SHA512

e6cb2d37fe98c269281a25d6b6c65bddfb84dc06d396370824ed59a6a2a0af05e63c4cb0fa30b09b4e3a9d1b7b359ad70b3ea67cdae15fdf946652a07f489739
SSDEEP

1536:5nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx+:5Gs8cd8eXlYairZYqMddH13+

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2120	omsecor.exe
492	omsecor.exe
2408	omsecor.exe
2700	omsecor.exe
1936	omsecor.exe
1156	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2544	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
2544	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
2120	omsecor.exe
492	omsecor.exe
492	omsecor.exe
2700	omsecor.exe
2700	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 2544	2016	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	30
PID 2120 set thread context of 492	2120	omsecor.exe	32
PID 2408 set thread context of 2700	2408	omsecor.exe	36
PID 1936 set thread context of 1156	1936	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2544	2016	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	30
PID 2016 wrote to memory of 2544	2016	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	30
PID 2016 wrote to memory of 2544	2016	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	30
PID 2016 wrote to memory of 2544	2016	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	30
PID 2016 wrote to memory of 2544	2016	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	30
PID 2016 wrote to memory of 2544	2016	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	30
PID 2544 wrote to memory of 2120	2544	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	31
PID 2544 wrote to memory of 2120	2544	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	31
PID 2544 wrote to memory of 2120	2544	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	31
PID 2544 wrote to memory of 2120	2544	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	31
PID 2120 wrote to memory of 492	2120	omsecor.exe	32
PID 2120 wrote to memory of 492	2120	omsecor.exe	32
PID 2120 wrote to memory of 492	2120	omsecor.exe	32
PID 2120 wrote to memory of 492	2120	omsecor.exe	32
PID 2120 wrote to memory of 492	2120	omsecor.exe	32
PID 2120 wrote to memory of 492	2120	omsecor.exe	32
PID 492 wrote to memory of 2408	492	omsecor.exe	35
PID 492 wrote to memory of 2408	492	omsecor.exe	35
PID 492 wrote to memory of 2408	492	omsecor.exe	35
PID 492 wrote to memory of 2408	492	omsecor.exe	35
PID 2408 wrote to memory of 2700	2408	omsecor.exe	36
PID 2408 wrote to memory of 2700	2408	omsecor.exe	36
PID 2408 wrote to memory of 2700	2408	omsecor.exe	36
PID 2408 wrote to memory of 2700	2408	omsecor.exe	36
PID 2408 wrote to memory of 2700	2408	omsecor.exe	36
PID 2408 wrote to memory of 2700	2408	omsecor.exe	36
PID 2700 wrote to memory of 1936	2700	omsecor.exe	37
PID 2700 wrote to memory of 1936	2700	omsecor.exe	37
PID 2700 wrote to memory of 1936	2700	omsecor.exe	37
PID 2700 wrote to memory of 1936	2700	omsecor.exe	37
PID 1936 wrote to memory of 1156	1936	omsecor.exe	38
PID 1936 wrote to memory of 1156	1936	omsecor.exe	38
PID 1936 wrote to memory of 1156	1936	omsecor.exe	38
PID 1936 wrote to memory of 1156	1936	omsecor.exe	38
PID 1936 wrote to memory of 1156	1936	omsecor.exe	38
PID 1936 wrote to memory of 1156	1936	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
"C:\Users\Admin\AppData\Local\Temp\215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
  C:\Users\Admin\AppData\Local\Temp\215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:492
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
33abb4d1bb2a31d21936e902fcf4b0d9

SHA1
3d37e9e6fa7f426ddac32232e81aa605cc12aad8

SHA256
d36c160c95727dc1f1b2d28cba14fe8a144d00405c5f501b1adf5422faf9a4fc

SHA512
ba5ec18f4cca7c28796ffc7667c616c1cdb24e70710ffca83c10864bdd524b160dc93c28bce24086e45338baaf793bdb8be87b4dfe84bd40acb121d44d13b55f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
cc690f4483e1dbc5e24ff8dbf2d99c55

SHA1
6944153521059b405dd9f9fdb22de04bc1953f31

SHA256
7639005a1bb7fccedeaace13ebab496a372d0d346dfe3ee894815b38ef6e56e1

SHA512
0150c6fef6d1f72559c56ea81fcb2737d28d6077543959c2144e27764e187d79170da0f1d3a113cd23aea7be253ba5dae1d3a69f23de5bec6799400ff3b4fe89

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
ec9ce1c68eae29c7070e040d809906a5

SHA1
80a1f823a1dd41951fc43c0fb6ed6bdaa37a0776

SHA256
b39bf264db2a822d3778695b59874ef68fd4d6661f794ef0e697d525e953ea1c

SHA512
0d2a05b16d5c6dc7a2bd33ebc3cf90c194d95f9131910b57b53025b1b1cab22e66ac9b1ec2df7df2befce4e5750811803de204bb7c5595b7b049ded162491d2c

Download Submit
memory/492-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/492-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/492-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/492-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/492-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1156-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1936-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1936-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2016-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2016-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2120-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2120-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2120-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2544-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2544-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2544-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2544-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download