neconyd | facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe
Size

96KB
MD5

2b3bf1308b7e79ef933b3d2592048f90
SHA1

387d9d6b78e9aa6fef3ddc5d08962a0c6711526c
SHA256

facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a
SHA512

3f86081d595862dd03a97f01ee65d25a5ab22f402edf98257060d398632efabdcbc0ad378b149d5dfd71fc98b70f4f43fd2faafafa6e5f4810722ac31b2ff25b
SSDEEP

1536:vnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:vGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2836	omsecor.exe
2976	omsecor.exe
2832	omsecor.exe
2928	omsecor.exe
2036	omsecor.exe
2196	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2456	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe
2456	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe
2836	omsecor.exe
2976	omsecor.exe
2976	omsecor.exe
2928	omsecor.exe
2928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 2456	2460	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe	29
PID 2836 set thread context of 2976	2836	omsecor.exe	31
PID 2832 set thread context of 2928	2832	omsecor.exe	34
PID 2036 set thread context of 2196	2036	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2456	2460	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe	29
PID 2460 wrote to memory of 2456	2460	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe	29
PID 2460 wrote to memory of 2456	2460	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe	29
PID 2460 wrote to memory of 2456	2460	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe	29
PID 2460 wrote to memory of 2456	2460	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe	29
PID 2460 wrote to memory of 2456	2460	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe	29
PID 2456 wrote to memory of 2836	2456	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe	30
PID 2456 wrote to memory of 2836	2456	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe	30
PID 2456 wrote to memory of 2836	2456	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe	30
PID 2456 wrote to memory of 2836	2456	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe	30
PID 2836 wrote to memory of 2976	2836	omsecor.exe	31
PID 2836 wrote to memory of 2976	2836	omsecor.exe	31
PID 2836 wrote to memory of 2976	2836	omsecor.exe	31
PID 2836 wrote to memory of 2976	2836	omsecor.exe	31
PID 2836 wrote to memory of 2976	2836	omsecor.exe	31
PID 2836 wrote to memory of 2976	2836	omsecor.exe	31
PID 2976 wrote to memory of 2832	2976	omsecor.exe	33
PID 2976 wrote to memory of 2832	2976	omsecor.exe	33
PID 2976 wrote to memory of 2832	2976	omsecor.exe	33
PID 2976 wrote to memory of 2832	2976	omsecor.exe	33
PID 2832 wrote to memory of 2928	2832	omsecor.exe	34
PID 2832 wrote to memory of 2928	2832	omsecor.exe	34
PID 2832 wrote to memory of 2928	2832	omsecor.exe	34
PID 2832 wrote to memory of 2928	2832	omsecor.exe	34
PID 2832 wrote to memory of 2928	2832	omsecor.exe	34
PID 2832 wrote to memory of 2928	2832	omsecor.exe	34
PID 2928 wrote to memory of 2036	2928	omsecor.exe	35
PID 2928 wrote to memory of 2036	2928	omsecor.exe	35
PID 2928 wrote to memory of 2036	2928	omsecor.exe	35
PID 2928 wrote to memory of 2036	2928	omsecor.exe	35
PID 2036 wrote to memory of 2196	2036	omsecor.exe	36
PID 2036 wrote to memory of 2196	2036	omsecor.exe	36
PID 2036 wrote to memory of 2196	2036	omsecor.exe	36
PID 2036 wrote to memory of 2196	2036	omsecor.exe	36
PID 2036 wrote to memory of 2196	2036	omsecor.exe	36
PID 2036 wrote to memory of 2196	2036	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe
"C:\Users\Admin\AppData\Local\Temp\facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe
  C:\Users\Admin\AppData\Local\Temp\facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1c190a9308343d4e06ddb69d23e3eaa2

SHA1
f1dbf1b9bc052678ec282215034f37e54a4e6c0e

SHA256
a76d66d79700dd1bad84fad4eb4380a920e4e5136aae0e460d2625d3f259a706

SHA512
28b50f7d02701e202bc3f015c4733e540fac221b27317622094b7458fd31a53e136be776e2d251a2bddc9a369e020934c9df509155cab68948cb75852abc3d54

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
05beeac2dfb84cdfc81f7ca1eada480d

SHA1
e1f52a724a0e98d62cf93789ef26465542e58573

SHA256
7b0e4c6c0eb7c6adbe1e21831242dd9c0cf573290f6f06fd39ca9e72369ae427

SHA512
de02784bc6b255a13172e0303cbc9f575109b35ac34007f81d1d1c7ee2f589891f5390ec6bf1b4cedd2eab4686a2a9ee9fce78b0488cc3102436371fa62dbb53

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9f922e1b2e2c2a0b38e6c4d99326869c

SHA1
b2b5099f32ac4799a96a843b9cb6d2b3996f3e0e

SHA256
550d1157a3f768d01da120c4a791d0eb57ffbe88dd52784887ce1b78741aa212

SHA512
46610053d4ab3941b8d9f331976162ce7a3e01f1585c0a14c5b2776fd88d5413abd52338ecfd5d9d70c152838e383a232934c4f403772a5a0ee07932d377a0ae

Download Submit
memory/2036-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2036-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2196-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2460-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2460-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2460-35-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2460-9-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2832-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2832-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2836-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2836-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2928-79-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/2976-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-48-0x0000000000350000-0x0000000000373000-memory.dmp

Filesize
140KB

Download
memory/2976-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download