neconyd | 739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
Size

96KB
MD5

080594bcf7871f91672db59210446840
SHA1

f831d47f2d7ea176b6b41e88b5318167ade5b450
SHA256

739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42
SHA512

19ae0b3a739a1f27a2e702c2fb8d23f8a14eeb9eed537e177276b0fdae90eaf118ec319048b6517bddcb448bec988688d50b425ebc4e82402fe1decd89974639
SSDEEP

1536:5nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:5Gs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2768	omsecor.exe
2056	omsecor.exe
1220	omsecor.exe
1348	omsecor.exe
2664	omsecor.exe
2184	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2348	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
2348	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
2768	omsecor.exe
2056	omsecor.exe
2056	omsecor.exe
1348	omsecor.exe
1348	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 2348	2328	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	31
PID 2768 set thread context of 2056	2768	omsecor.exe	33
PID 1220 set thread context of 1348	1220	omsecor.exe	37
PID 2664 set thread context of 2184	2664	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2348	2328	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	31
PID 2328 wrote to memory of 2348	2328	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	31
PID 2328 wrote to memory of 2348	2328	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	31
PID 2328 wrote to memory of 2348	2328	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	31
PID 2328 wrote to memory of 2348	2328	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	31
PID 2328 wrote to memory of 2348	2328	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	31
PID 2348 wrote to memory of 2768	2348	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	32
PID 2348 wrote to memory of 2768	2348	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	32
PID 2348 wrote to memory of 2768	2348	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	32
PID 2348 wrote to memory of 2768	2348	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	32
PID 2768 wrote to memory of 2056	2768	omsecor.exe	33
PID 2768 wrote to memory of 2056	2768	omsecor.exe	33
PID 2768 wrote to memory of 2056	2768	omsecor.exe	33
PID 2768 wrote to memory of 2056	2768	omsecor.exe	33
PID 2768 wrote to memory of 2056	2768	omsecor.exe	33
PID 2768 wrote to memory of 2056	2768	omsecor.exe	33
PID 2056 wrote to memory of 1220	2056	omsecor.exe	36
PID 2056 wrote to memory of 1220	2056	omsecor.exe	36
PID 2056 wrote to memory of 1220	2056	omsecor.exe	36
PID 2056 wrote to memory of 1220	2056	omsecor.exe	36
PID 1220 wrote to memory of 1348	1220	omsecor.exe	37
PID 1220 wrote to memory of 1348	1220	omsecor.exe	37
PID 1220 wrote to memory of 1348	1220	omsecor.exe	37
PID 1220 wrote to memory of 1348	1220	omsecor.exe	37
PID 1220 wrote to memory of 1348	1220	omsecor.exe	37
PID 1220 wrote to memory of 1348	1220	omsecor.exe	37
PID 1348 wrote to memory of 2664	1348	omsecor.exe	38
PID 1348 wrote to memory of 2664	1348	omsecor.exe	38
PID 1348 wrote to memory of 2664	1348	omsecor.exe	38
PID 1348 wrote to memory of 2664	1348	omsecor.exe	38
PID 2664 wrote to memory of 2184	2664	omsecor.exe	39
PID 2664 wrote to memory of 2184	2664	omsecor.exe	39
PID 2664 wrote to memory of 2184	2664	omsecor.exe	39
PID 2664 wrote to memory of 2184	2664	omsecor.exe	39
PID 2664 wrote to memory of 2184	2664	omsecor.exe	39
PID 2664 wrote to memory of 2184	2664	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
"C:\Users\Admin\AppData\Local\Temp\739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
  C:\Users\Admin\AppData\Local\Temp\739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1220
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
70eed2c6a8c9f63917f1ed0eac86a39e

SHA1
8ead821ad2cbe5a41aa244d4003f5bb1f4fffaca

SHA256
520334db5d4fa1f2bf193e8f808ec37f668f638db17fdb9ef8f2846727ee7c54

SHA512
a6c1b167260b7fddfaad963096fc9f01c30d7cabc11faeadec69845fd22e867f8e431335e6404781d28169549a794f942ae3f16960b064eecc1df6fad3c2c3a7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
633269b0bcc7f7fd2e46b570ac2c81f9

SHA1
99a3c96397a65929bcf8478dda45d0af3781415b

SHA256
30915b910cc8eabb576afe96b18918510421dcc4f55cd8decd001547ac94e047

SHA512
ac60c2873a0da5d296511c1e2b89aa0adec27653f96c949c3cdf6f3665308c1c2ab3fdab95982a7d94664304abce1ea0626d193d07299b37ed310e4bb6278199

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2d9e8064e1995f2e496fded097153968

SHA1
c83d060e14ebeead1ca06a7a6f5feef2b6e48355

SHA256
6cb153eca73439efd1bf533a34c97f7e235ed6237fd51bccc4a69141e363119a

SHA512
d3137e01a1ef44f3a7e2be7b9ed57f44d2def10d96855bc6e4cbfa7259545eba7c8068b37e4013b23d09ed430f389ab5ecf451d8488e3967b461f70ac4a85806

Download Submit
memory/1220-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1220-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1348-90-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1348-78-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2056-52-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2056-53-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2056-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2056-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2056-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2056-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2056-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2328-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2328-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2348-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2348-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2348-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2348-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2348-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2664-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2768-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2768-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download