neconyd | 0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34

Analysis

max time kernel
115s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
Size

96KB
MD5

9da845581bd68245737dedb0d1a076b0
SHA1

d1d9565288a7b77490fbaf25ef791d1b0d3ddedc
SHA256

0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34
SHA512

ea60d528113adef17a43affc1d564bf0da2c4962d1b08ea8a98a40d6907fee221a52bec3058211717cdd2db50cd688aaf467dcd99586ef4a32d74f1396ca801e
SSDEEP

1536:NnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:NGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1428	omsecor.exe
2396	omsecor.exe
1672	omsecor.exe
1952	omsecor.exe
1892	omsecor.exe
2896	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
924	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
924	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
1428	omsecor.exe
2396	omsecor.exe
2396	omsecor.exe
1952	omsecor.exe
1952	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 924	2572	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	30
PID 1428 set thread context of 2396	1428	omsecor.exe	32
PID 1672 set thread context of 1952	1672	omsecor.exe	36
PID 1892 set thread context of 2896	1892	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 924	2572	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	30
PID 2572 wrote to memory of 924	2572	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	30
PID 2572 wrote to memory of 924	2572	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	30
PID 2572 wrote to memory of 924	2572	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	30
PID 2572 wrote to memory of 924	2572	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	30
PID 2572 wrote to memory of 924	2572	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	30
PID 924 wrote to memory of 1428	924	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	31
PID 924 wrote to memory of 1428	924	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	31
PID 924 wrote to memory of 1428	924	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	31
PID 924 wrote to memory of 1428	924	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	31
PID 1428 wrote to memory of 2396	1428	omsecor.exe	32
PID 1428 wrote to memory of 2396	1428	omsecor.exe	32
PID 1428 wrote to memory of 2396	1428	omsecor.exe	32
PID 1428 wrote to memory of 2396	1428	omsecor.exe	32
PID 1428 wrote to memory of 2396	1428	omsecor.exe	32
PID 1428 wrote to memory of 2396	1428	omsecor.exe	32
PID 2396 wrote to memory of 1672	2396	omsecor.exe	35
PID 2396 wrote to memory of 1672	2396	omsecor.exe	35
PID 2396 wrote to memory of 1672	2396	omsecor.exe	35
PID 2396 wrote to memory of 1672	2396	omsecor.exe	35
PID 1672 wrote to memory of 1952	1672	omsecor.exe	36
PID 1672 wrote to memory of 1952	1672	omsecor.exe	36
PID 1672 wrote to memory of 1952	1672	omsecor.exe	36
PID 1672 wrote to memory of 1952	1672	omsecor.exe	36
PID 1672 wrote to memory of 1952	1672	omsecor.exe	36
PID 1672 wrote to memory of 1952	1672	omsecor.exe	36
PID 1952 wrote to memory of 1892	1952	omsecor.exe	37
PID 1952 wrote to memory of 1892	1952	omsecor.exe	37
PID 1952 wrote to memory of 1892	1952	omsecor.exe	37
PID 1952 wrote to memory of 1892	1952	omsecor.exe	37
PID 1892 wrote to memory of 2896	1892	omsecor.exe	38
PID 1892 wrote to memory of 2896	1892	omsecor.exe	38
PID 1892 wrote to memory of 2896	1892	omsecor.exe	38
PID 1892 wrote to memory of 2896	1892	omsecor.exe	38
PID 1892 wrote to memory of 2896	1892	omsecor.exe	38
PID 1892 wrote to memory of 2896	1892	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
"C:\Users\Admin\AppData\Local\Temp\0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
  C:\Users\Admin\AppData\Local\Temp\0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8e2dab8d5af3bf25872671a740595ca4

SHA1
577868aef477d2cf3ff0c8fa28feac6b1962ebbc

SHA256
6f2900ffa9b536cfebc6d17779c052ae54c6354b8f0568a6a9998c9b9ea6019e

SHA512
df5fd77bc81847fd18072be0b42a792a8b396ed573aa87a48682c8e999875752bbd544aa4f3dc330e5958920ef1ef457a1685cdab3436874de3e552940758e4d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
393bc19d403d978217b60ddf117b1492

SHA1
fed0ab0b89605a4e9ea4cdb84f25747667d22955

SHA256
793fe1a371523770c3c2b77d612326ade362f42a8aa0ab521ce1e4e187f1dbb9

SHA512
1f7e52c54f9038e29cd611f26d9baacb970fd15c23cfb91317910fc396b41ba750a27eff79e7e635ebc5f132220caf70a0567843c5656008f09a2193a8e7bb12

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
57ccdd05efcc92d4d63aaa7a65dde585

SHA1
f70bee879af76eac7f574ff228743c0e2b82b026

SHA256
d6291ea9dfe8120cdfd6568d208eb777eb269224ce181822689c732d903dc203

SHA512
2f5fe0a8ae8f964ce9ce8d358665665be1b3d71a9351705838135b037bec3c9fd81f0fc951f5ebda96631232a5edf74dd819091a350d84d7f5689d363490e981

Download Submit
memory/924-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/924-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/924-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/924-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/924-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1428-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1428-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1892-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1892-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1952-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2396-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-53-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2396-46-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2572-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2572-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2896-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download