neconyd | 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022ae

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
Size

96KB
MD5

1ed206ccb847192d9a5bc700d2ce9f30
SHA1

8cd8f19f39ba976f4ae5260aa247b534dc78a7f7
SHA256

3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022ae
SHA512

ff27ddf559984e66e34dec8e88ba876a92b0103921bb0bbe53eabefc015079bf9ba6ed43d595ffcfb6b730a591a5fbc3e1e07e2ed21a01605f2e125e8c67a42a
SSDEEP

1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:4Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2748	omsecor.exe
2708	omsecor.exe
3036	omsecor.exe
2008	omsecor.exe
484	omsecor.exe
1836	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2692	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
2692	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
2748	omsecor.exe
2708	omsecor.exe
2708	omsecor.exe
2008	omsecor.exe
2008	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 2692	2236	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	30
PID 2748 set thread context of 2708	2748	omsecor.exe	32
PID 3036 set thread context of 2008	3036	omsecor.exe	35
PID 484 set thread context of 1836	484	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2692	2236	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	30
PID 2236 wrote to memory of 2692	2236	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	30
PID 2236 wrote to memory of 2692	2236	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	30
PID 2236 wrote to memory of 2692	2236	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	30
PID 2236 wrote to memory of 2692	2236	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	30
PID 2236 wrote to memory of 2692	2236	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	30
PID 2692 wrote to memory of 2748	2692	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	31
PID 2692 wrote to memory of 2748	2692	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	31
PID 2692 wrote to memory of 2748	2692	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	31
PID 2692 wrote to memory of 2748	2692	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	31
PID 2748 wrote to memory of 2708	2748	omsecor.exe	32
PID 2748 wrote to memory of 2708	2748	omsecor.exe	32
PID 2748 wrote to memory of 2708	2748	omsecor.exe	32
PID 2748 wrote to memory of 2708	2748	omsecor.exe	32
PID 2748 wrote to memory of 2708	2748	omsecor.exe	32
PID 2748 wrote to memory of 2708	2748	omsecor.exe	32
PID 2708 wrote to memory of 3036	2708	omsecor.exe	34
PID 2708 wrote to memory of 3036	2708	omsecor.exe	34
PID 2708 wrote to memory of 3036	2708	omsecor.exe	34
PID 2708 wrote to memory of 3036	2708	omsecor.exe	34
PID 3036 wrote to memory of 2008	3036	omsecor.exe	35
PID 3036 wrote to memory of 2008	3036	omsecor.exe	35
PID 3036 wrote to memory of 2008	3036	omsecor.exe	35
PID 3036 wrote to memory of 2008	3036	omsecor.exe	35
PID 3036 wrote to memory of 2008	3036	omsecor.exe	35
PID 3036 wrote to memory of 2008	3036	omsecor.exe	35
PID 2008 wrote to memory of 484	2008	omsecor.exe	36
PID 2008 wrote to memory of 484	2008	omsecor.exe	36
PID 2008 wrote to memory of 484	2008	omsecor.exe	36
PID 2008 wrote to memory of 484	2008	omsecor.exe	36
PID 484 wrote to memory of 1836	484	omsecor.exe	37
PID 484 wrote to memory of 1836	484	omsecor.exe	37
PID 484 wrote to memory of 1836	484	omsecor.exe	37
PID 484 wrote to memory of 1836	484	omsecor.exe	37
PID 484 wrote to memory of 1836	484	omsecor.exe	37
PID 484 wrote to memory of 1836	484	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
"C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
  C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a0ead96d1e0386ae43357e8f63063aed

SHA1
a53b914be998d10cc704c35652099cc9d2fe75b4

SHA256
e7481098956298c6a44546f7a270db4a72c40876e268298df7c5455282855717

SHA512
19770f5f8aa2fc749322ca010cab8a156c012f0b01b68edbff926d4fb5bce142157a1fb541ad21f104ae0a6a29e7e8ed2e0414299e336ccca88bdecf8b64aca5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
da8034b506342218c1b5d69cd693d721

SHA1
39468ba17368db2515c6acca884ac8a546942b78

SHA256
a072734720a832eb10ab026d7057b3faef8e90a27c025306f4c85ad14ac03010

SHA512
dd0905fd5338cdce4ccad031d548bb78e0abd885ce47a153633a3402bbb7ce2efa5ae536894a7738c25c5ca4a76b5ed0fa8c12ee4ff005bd96037e5268afc651

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
6de28978390db502c2cb55f0de00c377

SHA1
02f1af088463db7ef33b51a70e4fa9090d13135f

SHA256
27a12f3445d31f36fb9940078330f8b9cb161bddc27fae34e86b7be90c821cab

SHA512
08cd5eb158c4261f8c52f12f9859c178354c2a4675c07d519c47d17d0ae490dcee0d068425fa5e3a86bd91db05733351516bbf0b99ab7dce214a018371ade2d1

Download Submit
memory/484-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/484-77-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1836-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2236-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2692-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-47-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2708-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2748-24-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/2748-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3036-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download