neconyd | 6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4

Analysis

max time kernel
116s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
Size

96KB
MD5

8fc5f68cde19d34cf651fc419d9e231e
SHA1

ad35d560d15cb94f688f6caeceb72dce1870f059
SHA256

6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4
SHA512

86a8dc65e2f15ca424059ea67235a4b183fc7a3986b87495ebf114d7a665187032f7f226b72d2dee26fb4692b42c6a6bc213184c3717c18847ee71797a7f0aa5
SSDEEP

1536:LnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx6:LGs8cd8eXlYairZYqMddH136

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2244	omsecor.exe
2848	omsecor.exe
1936	omsecor.exe
1588	omsecor.exe
3020	omsecor.exe
2256	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1660	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
1660	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
2244	omsecor.exe
2848	omsecor.exe
2848	omsecor.exe
1588	omsecor.exe
1588	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 1660	3052	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	30
PID 2244 set thread context of 2848	2244	omsecor.exe	32
PID 1936 set thread context of 1588	1936	omsecor.exe	36
PID 3020 set thread context of 2256	3020	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1660	3052	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	30
PID 3052 wrote to memory of 1660	3052	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	30
PID 3052 wrote to memory of 1660	3052	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	30
PID 3052 wrote to memory of 1660	3052	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	30
PID 3052 wrote to memory of 1660	3052	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	30
PID 3052 wrote to memory of 1660	3052	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	30
PID 1660 wrote to memory of 2244	1660	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	31
PID 1660 wrote to memory of 2244	1660	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	31
PID 1660 wrote to memory of 2244	1660	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	31
PID 1660 wrote to memory of 2244	1660	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	31
PID 2244 wrote to memory of 2848	2244	omsecor.exe	32
PID 2244 wrote to memory of 2848	2244	omsecor.exe	32
PID 2244 wrote to memory of 2848	2244	omsecor.exe	32
PID 2244 wrote to memory of 2848	2244	omsecor.exe	32
PID 2244 wrote to memory of 2848	2244	omsecor.exe	32
PID 2244 wrote to memory of 2848	2244	omsecor.exe	32
PID 2848 wrote to memory of 1936	2848	omsecor.exe	35
PID 2848 wrote to memory of 1936	2848	omsecor.exe	35
PID 2848 wrote to memory of 1936	2848	omsecor.exe	35
PID 2848 wrote to memory of 1936	2848	omsecor.exe	35
PID 1936 wrote to memory of 1588	1936	omsecor.exe	36
PID 1936 wrote to memory of 1588	1936	omsecor.exe	36
PID 1936 wrote to memory of 1588	1936	omsecor.exe	36
PID 1936 wrote to memory of 1588	1936	omsecor.exe	36
PID 1936 wrote to memory of 1588	1936	omsecor.exe	36
PID 1936 wrote to memory of 1588	1936	omsecor.exe	36
PID 1588 wrote to memory of 3020	1588	omsecor.exe	37
PID 1588 wrote to memory of 3020	1588	omsecor.exe	37
PID 1588 wrote to memory of 3020	1588	omsecor.exe	37
PID 1588 wrote to memory of 3020	1588	omsecor.exe	37
PID 3020 wrote to memory of 2256	3020	omsecor.exe	38
PID 3020 wrote to memory of 2256	3020	omsecor.exe	38
PID 3020 wrote to memory of 2256	3020	omsecor.exe	38
PID 3020 wrote to memory of 2256	3020	omsecor.exe	38
PID 3020 wrote to memory of 2256	3020	omsecor.exe	38
PID 3020 wrote to memory of 2256	3020	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
"C:\Users\Admin\AppData\Local\Temp\6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
  C:\Users\Admin\AppData\Local\Temp\6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
902b56eb9f3314f4b7480a686391e90f

SHA1
17e3a093343ef6876ce9d1a96ffc62526cd88645

SHA256
0a7eda8c40b0c712fd02e1fa13c97a102e19d8879f302e314b7c5ecae26b00e5

SHA512
ef50e86673ca11c08da80697d633e8cee5a6c4d2e99c5fc1c104852d640a2a5d1ee456119dea1148a8fe28347f55a71586938930996b645351a3c1e3b7178393

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1a880b90617659eb82740fcc1712eb6b

SHA1
bdc23b26276de45103344cd1ed4404a7d03c0510

SHA256
9980ef7da1d71d1730fb123f072a1f56c45c6803ad6d70b2e2186007aae71829

SHA512
1fbe3ee549c220bde3fcb11534d006a1f1221bfaaf9130e9c86b1868f386bb17da7f298b017d242fae8f7f86eabd148747a2f66dea673a4f021095de0ecda08c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f300a147e48dc7950dcf9479497e4d91

SHA1
c174a91a8b69daa904b472e1cd27f83f12bc7ceb

SHA256
137b1a36c1f8a607cbafad8f5ac1bcc4fb6a167e8abe0770ed2a40115c57762b

SHA512
b9e01044d8b788f3a3004df1ac0773c3e4e5215aff84eb2e8702e9fa125ab60f161efc5fa037c5c6863277c2f8a16071326e1f88e09680283fba20acc819553f

Download Submit
memory/1588-77-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1588-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1660-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1660-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1660-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1660-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1660-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1936-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2244-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2244-34-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2244-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2244-36-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2256-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-49-0x0000000000380000-0x00000000003A3000-memory.dmp

Filesize
140KB

Download
memory/2848-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3020-82-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3020-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3052-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3052-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3052-9-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download