neconyd | 4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe
Size

96KB
MD5

2d7e939287535612dbb41a733fcfc732
SHA1

bc8ad3ba3f34ff2f083faa7e5cff2c9980b39715
SHA256

4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa
SHA512

46d9912255c2a67aa75eecbae9c5cf05980ecc69f61c386bb89789b5fe750fcf03f6c646b92fce60aefce4dc09c326c6ebd72809c8b71896099a991182f7912b
SSDEEP

1536:qnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:qGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2080	omsecor.exe
580	omsecor.exe
1932	omsecor.exe
1040	omsecor.exe
1684	omsecor.exe
1500	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3036	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe
3036	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe
2080	omsecor.exe
580	omsecor.exe
580	omsecor.exe
1040	omsecor.exe
1040	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 3036	2992	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe	30
PID 2080 set thread context of 580	2080	omsecor.exe	32
PID 1932 set thread context of 1040	1932	omsecor.exe	36
PID 1684 set thread context of 1500	1684	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3036	2992	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe	30
PID 2992 wrote to memory of 3036	2992	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe	30
PID 2992 wrote to memory of 3036	2992	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe	30
PID 2992 wrote to memory of 3036	2992	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe	30
PID 2992 wrote to memory of 3036	2992	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe	30
PID 2992 wrote to memory of 3036	2992	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe	30
PID 3036 wrote to memory of 2080	3036	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe	31
PID 3036 wrote to memory of 2080	3036	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe	31
PID 3036 wrote to memory of 2080	3036	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe	31
PID 3036 wrote to memory of 2080	3036	4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe	31
PID 2080 wrote to memory of 580	2080	omsecor.exe	32
PID 2080 wrote to memory of 580	2080	omsecor.exe	32
PID 2080 wrote to memory of 580	2080	omsecor.exe	32
PID 2080 wrote to memory of 580	2080	omsecor.exe	32
PID 2080 wrote to memory of 580	2080	omsecor.exe	32
PID 2080 wrote to memory of 580	2080	omsecor.exe	32
PID 580 wrote to memory of 1932	580	omsecor.exe	35
PID 580 wrote to memory of 1932	580	omsecor.exe	35
PID 580 wrote to memory of 1932	580	omsecor.exe	35
PID 580 wrote to memory of 1932	580	omsecor.exe	35
PID 1932 wrote to memory of 1040	1932	omsecor.exe	36
PID 1932 wrote to memory of 1040	1932	omsecor.exe	36
PID 1932 wrote to memory of 1040	1932	omsecor.exe	36
PID 1932 wrote to memory of 1040	1932	omsecor.exe	36
PID 1932 wrote to memory of 1040	1932	omsecor.exe	36
PID 1932 wrote to memory of 1040	1932	omsecor.exe	36
PID 1040 wrote to memory of 1684	1040	omsecor.exe	37
PID 1040 wrote to memory of 1684	1040	omsecor.exe	37
PID 1040 wrote to memory of 1684	1040	omsecor.exe	37
PID 1040 wrote to memory of 1684	1040	omsecor.exe	37
PID 1684 wrote to memory of 1500	1684	omsecor.exe	38
PID 1684 wrote to memory of 1500	1684	omsecor.exe	38
PID 1684 wrote to memory of 1500	1684	omsecor.exe	38
PID 1684 wrote to memory of 1500	1684	omsecor.exe	38
PID 1684 wrote to memory of 1500	1684	omsecor.exe	38
PID 1684 wrote to memory of 1500	1684	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe
"C:\Users\Admin\AppData\Local\Temp\4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe
  C:\Users\Admin\AppData\Local\Temp\4c41d619b25e431c35686261990c9c8e90952128c9c0f46dc86c123c043fc1fa.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:580
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
fedc7ba54b918fa7934c8c2a70966d16

SHA1
18f8d25f91d2e719b2b4c4fd3b716230128f5792

SHA256
817ab325945f2b62308787dbc2a4147321af0805403ca893a304e3d0a682014e

SHA512
30513d5cbd32db71ebb48cb73c4e0f01384f05e63dbaa988e209f0d2ad406f5a26aa7919f28f1e674efdd95cb61fdb6f75c6d684a80623694f02ede25ba62cf8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e83b6cd5dc8be38ff7ba0e425458e3a7

SHA1
75c00a6b959df29d83fbc9e64bfd345766a47097

SHA256
a9a6f07686effc91a917423272f8415407789c7a40df52d5f314491ed9380ee5

SHA512
0ca912f6b9642ca1f63932ffbc1ebfec1a280b97dbdb2b92f0cd79d4e3338a8178d8126353941e5d2a171900d55624897ac6217a1109209f9f5a755bcece206f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b53a2083bd779460ddb24811e31d75fa

SHA1
51d4edae431982e5f591768e96fc115f3fdbed68

SHA256
e59741dc25b285b77546d0db611ec91a54d94f73b00ca1a1ba84aaa58f3b6789

SHA512
f808db6c9c0f1fe93c85d5aa5285fd36bce8ac6193747d0132d9f3f57dfc199c4e89a6e9a87514e57f906793f7b83bb6e1e6f51d00488867cd6ee5bc48831425

Download Submit
memory/580-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/580-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/580-46-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/580-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/580-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/580-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1040-71-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/1500-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1684-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1684-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1932-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1932-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2080-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2080-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2992-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2992-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3036-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3036-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download