neconyd | e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe
Size

96KB
MD5

4da9f956e1aaf071e35e95cc5bb6e635
SHA1

6f7054da8b714c013e7664bed814d64a0bb7f77c
SHA256

e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a
SHA512

8cc9b428c0a646d5a7705622fc709acec0d38a8d17c711f2ba8ed838908085948f7049f1a574d7dc22babec9644354d20c26b3f74603221242e330e144defa8d
SSDEEP

1536:5nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:5Gs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1916	omsecor.exe
1056	omsecor.exe
1348	omsecor.exe
2140	omsecor.exe
1944	omsecor.exe
2304	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2560	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe
2560	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe
1916	omsecor.exe
1056	omsecor.exe
1056	omsecor.exe
2140	omsecor.exe
2140	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 2560	2568	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe	30
PID 1916 set thread context of 1056	1916	omsecor.exe	32
PID 1348 set thread context of 2140	1348	omsecor.exe	35
PID 1944 set thread context of 2304	1944	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2560	2568	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe	30
PID 2568 wrote to memory of 2560	2568	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe	30
PID 2568 wrote to memory of 2560	2568	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe	30
PID 2568 wrote to memory of 2560	2568	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe	30
PID 2568 wrote to memory of 2560	2568	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe	30
PID 2568 wrote to memory of 2560	2568	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe	30
PID 2560 wrote to memory of 1916	2560	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe	31
PID 2560 wrote to memory of 1916	2560	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe	31
PID 2560 wrote to memory of 1916	2560	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe	31
PID 2560 wrote to memory of 1916	2560	e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe	31
PID 1916 wrote to memory of 1056	1916	omsecor.exe	32
PID 1916 wrote to memory of 1056	1916	omsecor.exe	32
PID 1916 wrote to memory of 1056	1916	omsecor.exe	32
PID 1916 wrote to memory of 1056	1916	omsecor.exe	32
PID 1916 wrote to memory of 1056	1916	omsecor.exe	32
PID 1916 wrote to memory of 1056	1916	omsecor.exe	32
PID 1056 wrote to memory of 1348	1056	omsecor.exe	34
PID 1056 wrote to memory of 1348	1056	omsecor.exe	34
PID 1056 wrote to memory of 1348	1056	omsecor.exe	34
PID 1056 wrote to memory of 1348	1056	omsecor.exe	34
PID 1348 wrote to memory of 2140	1348	omsecor.exe	35
PID 1348 wrote to memory of 2140	1348	omsecor.exe	35
PID 1348 wrote to memory of 2140	1348	omsecor.exe	35
PID 1348 wrote to memory of 2140	1348	omsecor.exe	35
PID 1348 wrote to memory of 2140	1348	omsecor.exe	35
PID 1348 wrote to memory of 2140	1348	omsecor.exe	35
PID 2140 wrote to memory of 1944	2140	omsecor.exe	36
PID 2140 wrote to memory of 1944	2140	omsecor.exe	36
PID 2140 wrote to memory of 1944	2140	omsecor.exe	36
PID 2140 wrote to memory of 1944	2140	omsecor.exe	36
PID 1944 wrote to memory of 2304	1944	omsecor.exe	37
PID 1944 wrote to memory of 2304	1944	omsecor.exe	37
PID 1944 wrote to memory of 2304	1944	omsecor.exe	37
PID 1944 wrote to memory of 2304	1944	omsecor.exe	37
PID 1944 wrote to memory of 2304	1944	omsecor.exe	37
PID 1944 wrote to memory of 2304	1944	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe
"C:\Users\Admin\AppData\Local\Temp\e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe
  C:\Users\Admin\AppData\Local\Temp\e7fad725bec06f485ee14fcb4a6d17cf079e1ed73a96d2d25fb7d43163e3b92a.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8449443b326f346db750b775da0c90be

SHA1
377d69c62fcb5ea3b5ca289f4daa508806a5ee29

SHA256
f2b1eee8e91db5f8273b135e248af806be89a4081f4d2303906b15ed23a9e6ba

SHA512
41508e1d356eb5f22d237424fb06e20fe86d6d8e5d4638b813055d0c9a02b7296f253a89e2f70895ef78da4da9572c05c4be40db4655a3c968b422417dcab080

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5a991479f06a5ae4cd80f553180ab223

SHA1
d3d9c37734324af9d1501eae94743b8a4353e86c

SHA256
6ce5c7fbb9994d9034cf55a0cd187937a7063f5bc2fdb2d9a9cbbedb0ab20b51

SHA512
6a08fa842aa1fdcd3ed702899dce42712c15e074645267173e05308fad89425f86f490907213df0bf3d81050511a64823f156b5689c1944414b4b37a1e57996b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
7d1a3be83798fab91ab9110925c8a962

SHA1
c603647a7510167bebe3daeaec60cb6f0a122c6a

SHA256
488535f1ede029d3c48471341484e6e298198d9e197976c3432fa690367638f8

SHA512
b6cf7924ebe01cb0846ec862b8cd2ee15112058ea38e5cc35a027c0ca30d5cfb2d526cab9d51a332ad80e980fcb7baec233a6d32ff6a8dad5d57b4cc2731a52e

Download Submit
memory/1056-56-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/1056-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1056-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1056-47-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/1056-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1056-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1056-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1348-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1916-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1916-25-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/1916-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1944-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1944-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2140-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2304-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2304-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2560-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2568-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download