neconyd | a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
Size

96KB
MD5

0b392359a652f185cb5d802d17b32e7a
SHA1

4ccf8207bd88f50b6e8ffb1e6d75c6be19b8776a
SHA256

a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c
SHA512

65ea75b38bbd8c50da1dda641fb13c83dea793ff5171d729fbf39850a761b24f0b9088bbac6fc0e7dfc83c60ddb514d3b521347371c5542e5936fb652b230391
SSDEEP

1536:snAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:sGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2732	omsecor.exe
2872	omsecor.exe
1708	omsecor.exe
1188	omsecor.exe
1652	omsecor.exe
2164	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2648	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
2648	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
2732	omsecor.exe
2872	omsecor.exe
2872	omsecor.exe
1188	omsecor.exe
1188	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 2648	3052	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	30
PID 2732 set thread context of 2872	2732	omsecor.exe	32
PID 1708 set thread context of 1188	1708	omsecor.exe	36
PID 1652 set thread context of 2164	1652	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2648	3052	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	30
PID 3052 wrote to memory of 2648	3052	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	30
PID 3052 wrote to memory of 2648	3052	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	30
PID 3052 wrote to memory of 2648	3052	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	30
PID 3052 wrote to memory of 2648	3052	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	30
PID 3052 wrote to memory of 2648	3052	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	30
PID 2648 wrote to memory of 2732	2648	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	31
PID 2648 wrote to memory of 2732	2648	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	31
PID 2648 wrote to memory of 2732	2648	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	31
PID 2648 wrote to memory of 2732	2648	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	31
PID 2732 wrote to memory of 2872	2732	omsecor.exe	32
PID 2732 wrote to memory of 2872	2732	omsecor.exe	32
PID 2732 wrote to memory of 2872	2732	omsecor.exe	32
PID 2732 wrote to memory of 2872	2732	omsecor.exe	32
PID 2732 wrote to memory of 2872	2732	omsecor.exe	32
PID 2732 wrote to memory of 2872	2732	omsecor.exe	32
PID 2872 wrote to memory of 1708	2872	omsecor.exe	35
PID 2872 wrote to memory of 1708	2872	omsecor.exe	35
PID 2872 wrote to memory of 1708	2872	omsecor.exe	35
PID 2872 wrote to memory of 1708	2872	omsecor.exe	35
PID 1708 wrote to memory of 1188	1708	omsecor.exe	36
PID 1708 wrote to memory of 1188	1708	omsecor.exe	36
PID 1708 wrote to memory of 1188	1708	omsecor.exe	36
PID 1708 wrote to memory of 1188	1708	omsecor.exe	36
PID 1708 wrote to memory of 1188	1708	omsecor.exe	36
PID 1708 wrote to memory of 1188	1708	omsecor.exe	36
PID 1188 wrote to memory of 1652	1188	omsecor.exe	37
PID 1188 wrote to memory of 1652	1188	omsecor.exe	37
PID 1188 wrote to memory of 1652	1188	omsecor.exe	37
PID 1188 wrote to memory of 1652	1188	omsecor.exe	37
PID 1652 wrote to memory of 2164	1652	omsecor.exe	38
PID 1652 wrote to memory of 2164	1652	omsecor.exe	38
PID 1652 wrote to memory of 2164	1652	omsecor.exe	38
PID 1652 wrote to memory of 2164	1652	omsecor.exe	38
PID 1652 wrote to memory of 2164	1652	omsecor.exe	38
PID 1652 wrote to memory of 2164	1652	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
"C:\Users\Admin\AppData\Local\Temp\a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
  C:\Users\Admin\AppData\Local\Temp\a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e9e683900ee96f066e46cfaa5d508275

SHA1
96ad9dc12b1983a0f7dc34db88e48f4ca3a5fe29

SHA256
89ba4184363a03e939f88438801f6e8edeee8a864c48a0fb512132f935389cc3

SHA512
df6cade8f6bf7d4edb9d25f2893f99e59ad9c7ba36c7f9966f314577e4a3b9ea2d61b8062fbb2b7383f533263c976922ceb8d7fbea76d66c0a75a5bfd8ada9dc

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
202cddf2660b9fcaf9cbcb8c399a1378

SHA1
2a099f6ad95015dcffe8a5ad42dbad3e0fb6096c

SHA256
5cb719baba4d6935214bed7d28ecd78e0c35175bfeb82e0b1776a41732ab4225

SHA512
749eef9e9a5d271411b20050271b5697eb358f47ce8c812af6c34e1099477fd2a6da8d9dd61d74ced427ce22406408f65f6a0afc4d5e99d9b672fa89e34bb15a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
15545a8d0275f0199df737ffb57607d7

SHA1
f151eb84a92e654d9b0b3597615c25b2decfbe9c

SHA256
7a862bdfea0d13d80db6cb1e35bc2cfadc127548d3d313ed6a13e11dae782fce

SHA512
ac8fbe68ab8d20c0ccc94ca57ed98f3baeb00cda96985b7528d6ee7b425afb2c49508b5ed79f8003aa7ef745995283247bbd2dee596c457d6889d3caf76218da

Download Submit
memory/1188-73-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/1652-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1652-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1708-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1708-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2164-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2648-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2648-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2648-13-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2648-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2648-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2648-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2732-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2872-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-48-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2872-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3052-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3052-1-0x0000000001C80000-0x0000000001CA3000-memory.dmp

Filesize
140KB

Download