neconyd | 89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe
Size

96KB
MD5

11f745ff5fba532c6ed198071295e5a0
SHA1

e938df26d9135a8ed58e71467902416fefb6eacc
SHA256

89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043b
SHA512

57ae692375323b6ccc29cdc2d14eb0edfa11501469bdb0e70fa76bd729779d159f48c568eedad297f3bfe5ad118c299610e81e7ba69f6f7c597adf94a4800830
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:QGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3020	omsecor.exe
1912	omsecor.exe
760	omsecor.exe
2032	omsecor.exe
2616	omsecor.exe
272	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2360	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe
2360	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe
3020	omsecor.exe
1912	omsecor.exe
1912	omsecor.exe
2032	omsecor.exe
2032	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 2360	2832	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe	31
PID 3020 set thread context of 1912	3020	omsecor.exe	33
PID 760 set thread context of 2032	760	omsecor.exe	37
PID 2616 set thread context of 272	2616	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2360	2832	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe	31
PID 2832 wrote to memory of 2360	2832	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe	31
PID 2832 wrote to memory of 2360	2832	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe	31
PID 2832 wrote to memory of 2360	2832	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe	31
PID 2832 wrote to memory of 2360	2832	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe	31
PID 2832 wrote to memory of 2360	2832	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe	31
PID 2360 wrote to memory of 3020	2360	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe	32
PID 2360 wrote to memory of 3020	2360	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe	32
PID 2360 wrote to memory of 3020	2360	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe	32
PID 2360 wrote to memory of 3020	2360	89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe	32
PID 3020 wrote to memory of 1912	3020	omsecor.exe	33
PID 3020 wrote to memory of 1912	3020	omsecor.exe	33
PID 3020 wrote to memory of 1912	3020	omsecor.exe	33
PID 3020 wrote to memory of 1912	3020	omsecor.exe	33
PID 3020 wrote to memory of 1912	3020	omsecor.exe	33
PID 3020 wrote to memory of 1912	3020	omsecor.exe	33
PID 1912 wrote to memory of 760	1912	omsecor.exe	36
PID 1912 wrote to memory of 760	1912	omsecor.exe	36
PID 1912 wrote to memory of 760	1912	omsecor.exe	36
PID 1912 wrote to memory of 760	1912	omsecor.exe	36
PID 760 wrote to memory of 2032	760	omsecor.exe	37
PID 760 wrote to memory of 2032	760	omsecor.exe	37
PID 760 wrote to memory of 2032	760	omsecor.exe	37
PID 760 wrote to memory of 2032	760	omsecor.exe	37
PID 760 wrote to memory of 2032	760	omsecor.exe	37
PID 760 wrote to memory of 2032	760	omsecor.exe	37
PID 2032 wrote to memory of 2616	2032	omsecor.exe	38
PID 2032 wrote to memory of 2616	2032	omsecor.exe	38
PID 2032 wrote to memory of 2616	2032	omsecor.exe	38
PID 2032 wrote to memory of 2616	2032	omsecor.exe	38
PID 2616 wrote to memory of 272	2616	omsecor.exe	39
PID 2616 wrote to memory of 272	2616	omsecor.exe	39
PID 2616 wrote to memory of 272	2616	omsecor.exe	39
PID 2616 wrote to memory of 272	2616	omsecor.exe	39
PID 2616 wrote to memory of 272	2616	omsecor.exe	39
PID 2616 wrote to memory of 272	2616	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe
"C:\Users\Admin\AppData\Local\Temp\89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe
  C:\Users\Admin\AppData\Local\Temp\89d2eff9d935f1ad1305a40d93adbcff1d305db7f124b48aa4437bde4668043bN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
032b1f6ae908584d09b9a748199b326f

SHA1
c8e724521a28fea9e2faf74d9f05dfc7e5cc159e

SHA256
48019496db6001ba11fbe4043788aed1a2c0da08bdde50b003e49dc523158af6

SHA512
874d7f3c85880b47ac9f92d6c07a5d9d235bee9cb173d5ba4e61e3c598757f56542d653fe6f8ba680f0153cf0fab3dfbd33d02ab426f6b2fd4c4354228ff3e34

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5ce248f095088f083e12fbe23cddbff8

SHA1
2f0d311d6a4a5f82a20ff557d2e39b405d021480

SHA256
bc182e7eeb11edb11309cf855e7d6712b18f880922ddc49db5e76e38e13e35d9

SHA512
dc3c82c069069253a7081525b9eb7ebc2b2db346fbdcb6d67db98fc6d1c2c421de7bfeb96604e3a233a0d1df91885f8ae66372f58d0dd3a2180c8a82c617d1a1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c4f79dc7d81f49f217c3c5515afb961f

SHA1
dc1d42d095506a7298a4ca9862d499f218a5bac8

SHA256
ea7a25cb9c95a5b60c5a753135c50d9f4332111d59b153697774299fad3d3063

SHA512
b3485980e13dc32c65f4b8c5c31f4ab972f88f45675d452fd95542464957e0826163aee8c7d47fd0721630b0a67089e645c8385fb9b5d50a121c1c2f642c514e

Download Submit
memory/272-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1912-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1912-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1912-50-0x0000000001FF0000-0x0000000002013000-memory.dmp

Filesize
140KB

Download
memory/1912-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1912-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1912-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2360-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2616-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2616-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2832-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2832-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3020-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3020-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/3020-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download