neconyd | 1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1

Analysis

max time kernel
115s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
Size

96KB
MD5

d859eddc3229abfa0ad3979a10e73800
SHA1

57e3e460dbdb277bec56b892f27d24b01a308bee
SHA256

1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1
SHA512

0795e2fe740b2e80da864518db47ab0e884380e6357e5c7b78f7054ace55f3f7f463faa03e9f112670f41fa79e8343bd0b0b9dbe36f20e94cb0c2aaa7aa67a02
SSDEEP

1536:qnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:qGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2360	omsecor.exe
2416	omsecor.exe
1524	omsecor.exe
1700	omsecor.exe
472	omsecor.exe
2924	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2540	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
2540	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
2360	omsecor.exe
2416	omsecor.exe
2416	omsecor.exe
1700	omsecor.exe
1700	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 2540	2444	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	30
PID 2360 set thread context of 2416	2360	omsecor.exe	32
PID 1524 set thread context of 1700	1524	omsecor.exe	36
PID 472 set thread context of 2924	472	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2540	2444	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	30
PID 2444 wrote to memory of 2540	2444	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	30
PID 2444 wrote to memory of 2540	2444	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	30
PID 2444 wrote to memory of 2540	2444	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	30
PID 2444 wrote to memory of 2540	2444	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	30
PID 2444 wrote to memory of 2540	2444	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	30
PID 2540 wrote to memory of 2360	2540	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	31
PID 2540 wrote to memory of 2360	2540	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	31
PID 2540 wrote to memory of 2360	2540	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	31
PID 2540 wrote to memory of 2360	2540	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	31
PID 2360 wrote to memory of 2416	2360	omsecor.exe	32
PID 2360 wrote to memory of 2416	2360	omsecor.exe	32
PID 2360 wrote to memory of 2416	2360	omsecor.exe	32
PID 2360 wrote to memory of 2416	2360	omsecor.exe	32
PID 2360 wrote to memory of 2416	2360	omsecor.exe	32
PID 2360 wrote to memory of 2416	2360	omsecor.exe	32
PID 2416 wrote to memory of 1524	2416	omsecor.exe	35
PID 2416 wrote to memory of 1524	2416	omsecor.exe	35
PID 2416 wrote to memory of 1524	2416	omsecor.exe	35
PID 2416 wrote to memory of 1524	2416	omsecor.exe	35
PID 1524 wrote to memory of 1700	1524	omsecor.exe	36
PID 1524 wrote to memory of 1700	1524	omsecor.exe	36
PID 1524 wrote to memory of 1700	1524	omsecor.exe	36
PID 1524 wrote to memory of 1700	1524	omsecor.exe	36
PID 1524 wrote to memory of 1700	1524	omsecor.exe	36
PID 1524 wrote to memory of 1700	1524	omsecor.exe	36
PID 1700 wrote to memory of 472	1700	omsecor.exe	37
PID 1700 wrote to memory of 472	1700	omsecor.exe	37
PID 1700 wrote to memory of 472	1700	omsecor.exe	37
PID 1700 wrote to memory of 472	1700	omsecor.exe	37
PID 472 wrote to memory of 2924	472	omsecor.exe	38
PID 472 wrote to memory of 2924	472	omsecor.exe	38
PID 472 wrote to memory of 2924	472	omsecor.exe	38
PID 472 wrote to memory of 2924	472	omsecor.exe	38
PID 472 wrote to memory of 2924	472	omsecor.exe	38
PID 472 wrote to memory of 2924	472	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
"C:\Users\Admin\AppData\Local\Temp\1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
  C:\Users\Admin\AppData\Local\Temp\1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
204856c14e20765765c94991ef77d099

SHA1
ae5caff388434a93a4d0b9136de306486c1afec8

SHA256
07679811f4b7c3141681832bb8f704ecea2e6b0938cdb39d934a81877b9894a9

SHA512
21c60207639916f2a2ac668df981bfa1faab26ab04544d2af6d2463ac62abddbec4292adbb8b70ab51553271eee280bcabf34e2631725d5b54aaf4dbdf4de84a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
43c2dd5490be7811a34c21e600e658d9

SHA1
cc5ac0fda658e8ea5d25a7dce41e0acca0a36eff

SHA256
c933d9ef3da7524cb6fe5ddff8dd24ff52031e7d89702b9e599a4138d87b4140

SHA512
59f6a88f7bbb52101f1db906294c847252ed0122f232a5a913b4544e5751d7709dd962dc2f339fbbe6ffadd9e6d23e3692f76c4bbb8e726e5cfe4bea5ae8e894

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
fb12a1312d452c53017ed514c8d90737

SHA1
c140e1e8690b1300742b1c85cba0b7dd0a323e86

SHA256
3c866f8c6feacbb6e340fee946579203971a352c543919dd33524c8f40a49cda

SHA512
6296698a2980ffed20434745123b93055ad5fb6bbf62d9b8f50f0bebf00dcf3ac1477cb0f66f9347fb027861aa7b6675aca9ae174aa6f99b9c4728cc6bb60734

Download Submit
memory/472-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1524-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1524-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1700-72-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2360-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2360-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2416-52-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2416-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-53-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2416-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2444-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2444-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2540-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download