neconyd | d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8

Analysis

max time kernel
111s
max time network
100s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe
Size

96KB
MD5

51d9102330c347eec39456dfea0e2d58
SHA1

603e97d3c486a8bae37ad8ddfe090d5db138d77e
SHA256

d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8
SHA512

44690610ebf5a671cad8a667f7f82c0f635fcb9ec2349574c15fe4aa7729e632667eda0b13f781ac1a9cc44d2da7f09b61a04e6ad93df5285aaf0748506ed9a3
SSDEEP

1536:/nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:/Gs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1628	omsecor.exe
2140	omsecor.exe
1892	omsecor.exe
2888	omsecor.exe
2472	omsecor.exe
2256	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2560	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe
2560	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe
1628	omsecor.exe
2140	omsecor.exe
2140	omsecor.exe
2888	omsecor.exe
2888	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 2560	2400	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe	30
PID 1628 set thread context of 2140	1628	omsecor.exe	32
PID 1892 set thread context of 2888	1892	omsecor.exe	36
PID 2472 set thread context of 2256	2472	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2560	2400	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe	30
PID 2400 wrote to memory of 2560	2400	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe	30
PID 2400 wrote to memory of 2560	2400	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe	30
PID 2400 wrote to memory of 2560	2400	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe	30
PID 2400 wrote to memory of 2560	2400	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe	30
PID 2400 wrote to memory of 2560	2400	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe	30
PID 2560 wrote to memory of 1628	2560	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe	31
PID 2560 wrote to memory of 1628	2560	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe	31
PID 2560 wrote to memory of 1628	2560	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe	31
PID 2560 wrote to memory of 1628	2560	d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe	31
PID 1628 wrote to memory of 2140	1628	omsecor.exe	32
PID 1628 wrote to memory of 2140	1628	omsecor.exe	32
PID 1628 wrote to memory of 2140	1628	omsecor.exe	32
PID 1628 wrote to memory of 2140	1628	omsecor.exe	32
PID 1628 wrote to memory of 2140	1628	omsecor.exe	32
PID 1628 wrote to memory of 2140	1628	omsecor.exe	32
PID 2140 wrote to memory of 1892	2140	omsecor.exe	35
PID 2140 wrote to memory of 1892	2140	omsecor.exe	35
PID 2140 wrote to memory of 1892	2140	omsecor.exe	35
PID 2140 wrote to memory of 1892	2140	omsecor.exe	35
PID 1892 wrote to memory of 2888	1892	omsecor.exe	36
PID 1892 wrote to memory of 2888	1892	omsecor.exe	36
PID 1892 wrote to memory of 2888	1892	omsecor.exe	36
PID 1892 wrote to memory of 2888	1892	omsecor.exe	36
PID 1892 wrote to memory of 2888	1892	omsecor.exe	36
PID 1892 wrote to memory of 2888	1892	omsecor.exe	36
PID 2888 wrote to memory of 2472	2888	omsecor.exe	37
PID 2888 wrote to memory of 2472	2888	omsecor.exe	37
PID 2888 wrote to memory of 2472	2888	omsecor.exe	37
PID 2888 wrote to memory of 2472	2888	omsecor.exe	37
PID 2472 wrote to memory of 2256	2472	omsecor.exe	38
PID 2472 wrote to memory of 2256	2472	omsecor.exe	38
PID 2472 wrote to memory of 2256	2472	omsecor.exe	38
PID 2472 wrote to memory of 2256	2472	omsecor.exe	38
PID 2472 wrote to memory of 2256	2472	omsecor.exe	38
PID 2472 wrote to memory of 2256	2472	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe
"C:\Users\Admin\AppData\Local\Temp\d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe
  C:\Users\Admin\AppData\Local\Temp\d48841402fa017d9c240845552cd6aeecf5b4fef96f5d537040a90ae16278ed8.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a8b0e7da2c94140409c0e5d684b86bfd

SHA1
630560aecbc9589cb32b44d72579cd86fa7dd012

SHA256
66cab24bc25530e6b26dceb4d90f466f30ccab779c13b4e56214ba714ee99c18

SHA512
a7f076c764566c7efea9e8af4b82841799a20857eb79aee62db29815214012ea6cdded1c3215860e35a41244a85ac3b30bd49528736c928fd6c662f65dfd338d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
adbc5d1e8d338a0d21200bae956b4973

SHA1
a83b76114868ef518e6d20463f7bd748ab82874f

SHA256
7dc7b6508d7cadf1b34ed49ae5b9ccc6c0767b93bb0c3f267117df0a2d5a1704

SHA512
d94d8aa959d128f4932c9b9acc3952956a76f1694827322c3a29fbbfc43f1cc5572723c9a27b2c6dd34e23c1b033740e8194f87661fb001b293ffabbaaecf54c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c89a345100448335c0fad1443542d5d7

SHA1
dc3f836fb1bd6704fa71029743f1e9c3b83dd4d1

SHA256
4d1982fa4eac902701c6da39115869b106eb70cfac65f237272dbea83566a0c1

SHA512
e7155f68eba6842001a7f8602bc8885d8d57343f7d9e494cc99aa6beda4f93516afc30840b9deed18e1ca1e199ac66b3eb4aed8b17009d8a8dc85141c16d91a0

Download Submit
memory/1628-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1628-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1892-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1892-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2140-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2256-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2400-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2400-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2472-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2472-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2560-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-20-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2888-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download