neconyd | 83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5cc

Analysis

max time kernel
115s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe
Size

96KB
MD5

b41e920849e803b332e981b27ac59a30
SHA1

8d0e8f860f347f11823b0513a615992105ee6d07
SHA256

83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5cc
SHA512

b7a3184019d179cc42e88a22b5435470cc67adb279e37a4e34273dec2a67ed93b8928f7e1903ab02bec2a65f1c1c3926417d7c14a64da8849940b53065738ae8
SSDEEP

1536:1nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:1Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2092	omsecor.exe
1804	omsecor.exe
2744	omsecor.exe
1492	omsecor.exe
1904	omsecor.exe
716	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2352	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe
2352	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe
2092	omsecor.exe
1804	omsecor.exe
1804	omsecor.exe
1492	omsecor.exe
1492	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 2352	1712	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe	30
PID 2092 set thread context of 1804	2092	omsecor.exe	33
PID 2744 set thread context of 1492	2744	omsecor.exe	36
PID 1904 set thread context of 716	1904	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2352	1712	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe	30
PID 1712 wrote to memory of 2352	1712	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe	30
PID 1712 wrote to memory of 2352	1712	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe	30
PID 1712 wrote to memory of 2352	1712	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe	30
PID 1712 wrote to memory of 2352	1712	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe	30
PID 1712 wrote to memory of 2352	1712	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe	30
PID 2352 wrote to memory of 2092	2352	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe	31
PID 2352 wrote to memory of 2092	2352	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe	31
PID 2352 wrote to memory of 2092	2352	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe	31
PID 2352 wrote to memory of 2092	2352	83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe	31
PID 2092 wrote to memory of 1804	2092	omsecor.exe	33
PID 2092 wrote to memory of 1804	2092	omsecor.exe	33
PID 2092 wrote to memory of 1804	2092	omsecor.exe	33
PID 2092 wrote to memory of 1804	2092	omsecor.exe	33
PID 2092 wrote to memory of 1804	2092	omsecor.exe	33
PID 2092 wrote to memory of 1804	2092	omsecor.exe	33
PID 1804 wrote to memory of 2744	1804	omsecor.exe	35
PID 1804 wrote to memory of 2744	1804	omsecor.exe	35
PID 1804 wrote to memory of 2744	1804	omsecor.exe	35
PID 1804 wrote to memory of 2744	1804	omsecor.exe	35
PID 2744 wrote to memory of 1492	2744	omsecor.exe	36
PID 2744 wrote to memory of 1492	2744	omsecor.exe	36
PID 2744 wrote to memory of 1492	2744	omsecor.exe	36
PID 2744 wrote to memory of 1492	2744	omsecor.exe	36
PID 2744 wrote to memory of 1492	2744	omsecor.exe	36
PID 2744 wrote to memory of 1492	2744	omsecor.exe	36
PID 1492 wrote to memory of 1904	1492	omsecor.exe	37
PID 1492 wrote to memory of 1904	1492	omsecor.exe	37
PID 1492 wrote to memory of 1904	1492	omsecor.exe	37
PID 1492 wrote to memory of 1904	1492	omsecor.exe	37
PID 1904 wrote to memory of 716	1904	omsecor.exe	38
PID 1904 wrote to memory of 716	1904	omsecor.exe	38
PID 1904 wrote to memory of 716	1904	omsecor.exe	38
PID 1904 wrote to memory of 716	1904	omsecor.exe	38
PID 1904 wrote to memory of 716	1904	omsecor.exe	38
PID 1904 wrote to memory of 716	1904	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe
"C:\Users\Admin\AppData\Local\Temp\83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe
  C:\Users\Admin\AppData\Local\Temp\83a5897567e48881a2d1ff5da18b29092746f659802f0f5ba96760a2e6efc5ccN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
87187790bb6d0f32b3374a02682a273f

SHA1
ae4f881cf61aec972accfc70fdc9094085c41493

SHA256
f0729945013661888667f795445e26df6a890240365c95c6630c2efa18bd8bcb

SHA512
fc5e7491434e0ee9a5817725a795b828986b2a06cf38ec0a32f9bb147cf1c801b0619850e574e6f102827ee94cf63471a629bb5a83760d2be7e2e0dcbab15f85

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5a3c6d9fbb6b2516f805ef9f51167737

SHA1
8f0a0387da756e54ea2a735290ed267b38181790

SHA256
fa7c87f9cbc8594b56e8ba91f3915c76da92b7acab437eb5929a8e36dc8d1346

SHA512
1f3cd85aad8b88f3e0672065e9b16c59381fccce65394465f7bf915533a69b2d60c882b1f644aa09434960228642778787d71618ae91bacaf7f85a1902f5c668

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
16d08b28f86c29fb9c923a1d8cc1994d

SHA1
c2637dd7cd80c456be3a9dbbd01af07e9f460071

SHA256
30cf159c79a2c494aa33e05c3bdfe7efd8b03c33400465611fe2e92e72212cb1

SHA512
493eb5166070fb6cea6545ad280d81e5e2ccb580cee294cac8e8083c10ba37b86356a9f63ba9c770481a0ef63ff73e68aaef6810470eb0f8457bd1c67a835c3b

Download Submit
memory/716-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1712-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1712-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1804-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-53-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/1804-49-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/1804-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1904-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1904-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2092-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2092-26-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2092-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2352-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-14-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2352-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-21-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2352-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download