neconyd | f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591c

Analysis

max time kernel
112s
max time network
107s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
Size

96KB
MD5

065819ff293446c42805e107e60b27f0
SHA1

61e2b3344bb017cecbe99b200ba68c5492147d50
SHA256

f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591c
SHA512

92a7da14d2a3ce97f96d1c52de18a1b6a4de3a078e6e671578893d5ad54b3b5da46f26fda01415fca15eeb1bb92c1f70d248f682bf3e48bcd795e3ed3d0cb5f1
SSDEEP

1536:VnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:VGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2396	omsecor.exe
1956	omsecor.exe
1852	omsecor.exe
808	omsecor.exe
2296	omsecor.exe
856	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2100	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
2100	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
2396	omsecor.exe
1956	omsecor.exe
1956	omsecor.exe
808	omsecor.exe
808	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 2100	2192	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	30
PID 2396 set thread context of 1956	2396	omsecor.exe	32
PID 1852 set thread context of 808	1852	omsecor.exe	36
PID 2296 set thread context of 856	2296	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2100	2192	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	30
PID 2192 wrote to memory of 2100	2192	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	30
PID 2192 wrote to memory of 2100	2192	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	30
PID 2192 wrote to memory of 2100	2192	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	30
PID 2192 wrote to memory of 2100	2192	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	30
PID 2192 wrote to memory of 2100	2192	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	30
PID 2100 wrote to memory of 2396	2100	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	31
PID 2100 wrote to memory of 2396	2100	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	31
PID 2100 wrote to memory of 2396	2100	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	31
PID 2100 wrote to memory of 2396	2100	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	31
PID 2396 wrote to memory of 1956	2396	omsecor.exe	32
PID 2396 wrote to memory of 1956	2396	omsecor.exe	32
PID 2396 wrote to memory of 1956	2396	omsecor.exe	32
PID 2396 wrote to memory of 1956	2396	omsecor.exe	32
PID 2396 wrote to memory of 1956	2396	omsecor.exe	32
PID 2396 wrote to memory of 1956	2396	omsecor.exe	32
PID 1956 wrote to memory of 1852	1956	omsecor.exe	35
PID 1956 wrote to memory of 1852	1956	omsecor.exe	35
PID 1956 wrote to memory of 1852	1956	omsecor.exe	35
PID 1956 wrote to memory of 1852	1956	omsecor.exe	35
PID 1852 wrote to memory of 808	1852	omsecor.exe	36
PID 1852 wrote to memory of 808	1852	omsecor.exe	36
PID 1852 wrote to memory of 808	1852	omsecor.exe	36
PID 1852 wrote to memory of 808	1852	omsecor.exe	36
PID 1852 wrote to memory of 808	1852	omsecor.exe	36
PID 1852 wrote to memory of 808	1852	omsecor.exe	36
PID 808 wrote to memory of 2296	808	omsecor.exe	37
PID 808 wrote to memory of 2296	808	omsecor.exe	37
PID 808 wrote to memory of 2296	808	omsecor.exe	37
PID 808 wrote to memory of 2296	808	omsecor.exe	37
PID 2296 wrote to memory of 856	2296	omsecor.exe	38
PID 2296 wrote to memory of 856	2296	omsecor.exe	38
PID 2296 wrote to memory of 856	2296	omsecor.exe	38
PID 2296 wrote to memory of 856	2296	omsecor.exe	38
PID 2296 wrote to memory of 856	2296	omsecor.exe	38
PID 2296 wrote to memory of 856	2296	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
"C:\Users\Admin\AppData\Local\Temp\f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
  C:\Users\Admin\AppData\Local\Temp\f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b895a52baaaaf06aae82bdf11182f0cc

SHA1
da5d9c5e7715e2a0e4791048dbc457b63e5c9fdf

SHA256
56473abed83889fa68584427086953f838ad853d926875b7366eae43e6a50095

SHA512
76f815be8fae19c76bafe267f4909d1164431c438c37d4169bd855ab152cce9fef0a192d02bba2b7db29fbc6507b860afeef23447e589fb4fe46a130e7cd30ce

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
76f89c8b037fef413f069a1ee17fc525

SHA1
0349e29f7de2bf49fe16d598426f1c6bf7cd1adf

SHA256
f52272ad90378f2e4e7ecb34748b7d1a2ef2cc282d862f3761d43d8696a6bc4e

SHA512
e16d040425075fdc400bbaee1663589ca67c6a341f217698275d6b37843cd9505fc81be7e6ff8a04172ecca3e5086bc5fb405bfabe42adf7148acfe203da926d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
58ff2bbcc77817233043fabd9842afac

SHA1
035d266335b8216c965e8efc59e500bfe83ae298

SHA256
0bb99154dcb8272a8b7012d4b9feda6d8a7bd2bb1e1534b5aeec7929b8f27577

SHA512
ee7c462efaaa3a79e49e807f2408e4e0aa4be4e80160b5524cb8de39ccda07f0df5325e135417dc955b1a99542332f30accca127a83c2e9ad4638fa7b08034a3

Download Submit
memory/808-72-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/856-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1852-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1956-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-48-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/1956-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2100-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2100-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2100-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2100-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2100-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2100-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2192-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2192-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2296-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2296-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2396-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2396-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download