neconyd | a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
Size

96KB
MD5

543e807cf6b3c90d883cb53a56978b4e
SHA1

e2db51773c28bb6130f7959cfeedbcb6bfb31457
SHA256

a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6
SHA512

d50e1c7aee2a76de5feaa1e3e0914e63fce05a9c4bc1b48375d9fd92c692cebd7549f8ce8c8f96be8ddcc6dd0c8036f99e791d2c876e85740481da7de2136b9c
SSDEEP

1536:ynAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:yGs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2356	omsecor.exe
2912	omsecor.exe
2856	omsecor.exe
2940	omsecor.exe
3052	omsecor.exe
3040	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2344	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
2344	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
2356	omsecor.exe
2912	omsecor.exe
2912	omsecor.exe
2940	omsecor.exe
2940	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 2344	2464	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	30
PID 2356 set thread context of 2912	2356	omsecor.exe	32
PID 2856 set thread context of 2940	2856	omsecor.exe	35
PID 3052 set thread context of 3040	3052	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2344	2464	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	30
PID 2464 wrote to memory of 2344	2464	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	30
PID 2464 wrote to memory of 2344	2464	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	30
PID 2464 wrote to memory of 2344	2464	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	30
PID 2464 wrote to memory of 2344	2464	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	30
PID 2464 wrote to memory of 2344	2464	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	30
PID 2344 wrote to memory of 2356	2344	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	31
PID 2344 wrote to memory of 2356	2344	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	31
PID 2344 wrote to memory of 2356	2344	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	31
PID 2344 wrote to memory of 2356	2344	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	31
PID 2356 wrote to memory of 2912	2356	omsecor.exe	32
PID 2356 wrote to memory of 2912	2356	omsecor.exe	32
PID 2356 wrote to memory of 2912	2356	omsecor.exe	32
PID 2356 wrote to memory of 2912	2356	omsecor.exe	32
PID 2356 wrote to memory of 2912	2356	omsecor.exe	32
PID 2356 wrote to memory of 2912	2356	omsecor.exe	32
PID 2912 wrote to memory of 2856	2912	omsecor.exe	34
PID 2912 wrote to memory of 2856	2912	omsecor.exe	34
PID 2912 wrote to memory of 2856	2912	omsecor.exe	34
PID 2912 wrote to memory of 2856	2912	omsecor.exe	34
PID 2856 wrote to memory of 2940	2856	omsecor.exe	35
PID 2856 wrote to memory of 2940	2856	omsecor.exe	35
PID 2856 wrote to memory of 2940	2856	omsecor.exe	35
PID 2856 wrote to memory of 2940	2856	omsecor.exe	35
PID 2856 wrote to memory of 2940	2856	omsecor.exe	35
PID 2856 wrote to memory of 2940	2856	omsecor.exe	35
PID 2940 wrote to memory of 3052	2940	omsecor.exe	36
PID 2940 wrote to memory of 3052	2940	omsecor.exe	36
PID 2940 wrote to memory of 3052	2940	omsecor.exe	36
PID 2940 wrote to memory of 3052	2940	omsecor.exe	36
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
"C:\Users\Admin\AppData\Local\Temp\a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
  C:\Users\Admin\AppData\Local\Temp\a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9630506f4a936fd3a0712b911303c08d

SHA1
737dd8b6023788a03b589dd9cb9c8305a029b18a

SHA256
f213e3df6c2bd90f0a12c0074120b8e5e34cdfd896715ec54a41573c9475149e

SHA512
7cdeec0ecdd3c86a4411ed47af5078a08b403dbbffcccd3d50dde583d2ac836e22dc4a919cd6f9affbf80be6a8cd8a6430caa43cce139dbbed464bb279689596

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b5f48c1d954c347aa740cfe7feba39bf

SHA1
2ca0229aae986282a382ca6e7303d8788e150c0e

SHA256
1a73e585aa4ff27d304ffb6e498a0cff934e524008fc8ba0be7616d94d5018bc

SHA512
6ff73d42391658939dbb32845bfe38c1085ecebaee3406292cee670f2eb5dbb1a3fa9c11ab26741fc51fea2832447824a4dd09e2570513a1455703e8944060db

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2b4e48b86f40dc24a62c0da4b509a700

SHA1
7f0bfcb077488685e461103da4cacf87594bc7a2

SHA256
6569a716ac8ddcf0e1ac3c959465858a817cda70631f9e371f0170d32eb1e972

SHA512
680648e4d4e8e3fb8db19badee2102560b96e0fa1af99734121d70c14ddf1535a1c6cf413ae9bc40fe55561c886338413f4258ab53f6aadfad6de3e26d60d458

Download Submit
memory/2344-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2344-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2356-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2356-25-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2356-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2464-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2464-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2464-2-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2856-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2856-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2912-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-48-0x0000000000800000-0x0000000000823000-memory.dmp

Filesize
140KB

Download
memory/2912-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3040-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3040-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3052-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download