neconyd | eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
Size

96KB
MD5

9077f406c77180e40d5be6e2c416b925
SHA1

4c5d516ee659ef093d3951de4bdf1e277e304aae
SHA256

eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543
SHA512

280c8fd447a7e3ba8ac811246f78f496efa06da24e9b8ec89fa8663fec3ef777452c36b610cf19586d4f9d943a4ba93f45bd0d41f43b8912823b44a7f00e1c06
SSDEEP

1536:onAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:oGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3032	omsecor.exe
2496	omsecor.exe
788	omsecor.exe
2120	omsecor.exe
1076	omsecor.exe
2224	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2840	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
2840	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
3032	omsecor.exe
2496	omsecor.exe
2496	omsecor.exe
2120	omsecor.exe
2120	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 2840	2788	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	31
PID 3032 set thread context of 2496	3032	omsecor.exe	33
PID 788 set thread context of 2120	788	omsecor.exe	37
PID 1076 set thread context of 2224	1076	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2840	2788	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	31
PID 2788 wrote to memory of 2840	2788	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	31
PID 2788 wrote to memory of 2840	2788	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	31
PID 2788 wrote to memory of 2840	2788	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	31
PID 2788 wrote to memory of 2840	2788	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	31
PID 2788 wrote to memory of 2840	2788	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	31
PID 2840 wrote to memory of 3032	2840	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	32
PID 2840 wrote to memory of 3032	2840	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	32
PID 2840 wrote to memory of 3032	2840	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	32
PID 2840 wrote to memory of 3032	2840	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	32
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 3032 wrote to memory of 2496	3032	omsecor.exe	33
PID 2496 wrote to memory of 788	2496	omsecor.exe	36
PID 2496 wrote to memory of 788	2496	omsecor.exe	36
PID 2496 wrote to memory of 788	2496	omsecor.exe	36
PID 2496 wrote to memory of 788	2496	omsecor.exe	36
PID 788 wrote to memory of 2120	788	omsecor.exe	37
PID 788 wrote to memory of 2120	788	omsecor.exe	37
PID 788 wrote to memory of 2120	788	omsecor.exe	37
PID 788 wrote to memory of 2120	788	omsecor.exe	37
PID 788 wrote to memory of 2120	788	omsecor.exe	37
PID 788 wrote to memory of 2120	788	omsecor.exe	37
PID 2120 wrote to memory of 1076	2120	omsecor.exe	38
PID 2120 wrote to memory of 1076	2120	omsecor.exe	38
PID 2120 wrote to memory of 1076	2120	omsecor.exe	38
PID 2120 wrote to memory of 1076	2120	omsecor.exe	38
PID 1076 wrote to memory of 2224	1076	omsecor.exe	39
PID 1076 wrote to memory of 2224	1076	omsecor.exe	39
PID 1076 wrote to memory of 2224	1076	omsecor.exe	39
PID 1076 wrote to memory of 2224	1076	omsecor.exe	39
PID 1076 wrote to memory of 2224	1076	omsecor.exe	39
PID 1076 wrote to memory of 2224	1076	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
"C:\Users\Admin\AppData\Local\Temp\eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
  C:\Users\Admin\AppData\Local\Temp\eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:788
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
036267cd3f8c64073ae67fb330140e98

SHA1
b1d13a60aae5500dbcb2b48daf3348e0807e125b

SHA256
07f12dd0c03a5c1427bb498ba6674dfb1152600ef60a7f2e7aaee9d987993227

SHA512
150b5536012f01452b6901d675343c2ea946e15a279bc653bc5b094a49e5d4e586bef9355124dd32e799c50f70b6c154ee58268fe7e7a81de2f6a44c75b43740

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1ee9b074995de99c06372f24b5cfda56

SHA1
b96f9940d7d830ff3fd8d895709ff59a13c85e59

SHA256
1d66253f90878011b918df67b24fea58437eed05105daf551cf1b4a3cecda9ed

SHA512
f698154f4e9a4a79ed4ac3f06edda00d9e91a28cec7458cf907fbe239cd67819f3a69e0bd7d4d672ced260e39c9793c816b98711ef8a1bdb03faa38bc0b89277

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
08b17e5b709cd0abee358a8c8b3959ab

SHA1
9d0efe83be22c4bcfda08b7d75513f049e1caba0

SHA256
646c9d8017dedb86c85c162d0878c46f0b8b8aa761936b64fa193aaed0b85e2b

SHA512
4a3f26a5059f1b2ee900b29a2838076a6a794252f26513812c08abae111df149dd4229b4f3fc86d0f0eca80f3ecf6d3a99ac42471b200a34801f418fdf9a7c8e

Download Submit
memory/788-63-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1076-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1076-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2120-70-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2224-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2224-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-47-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2496-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2788-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2788-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3032-24-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/3032-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3032-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download