neconyd | ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
Size

96KB
MD5

0264d14980661b47db76a17367a6e570
SHA1

9041277f7bc67bf0f5557561874e2f12c7aca851
SHA256

ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e
SHA512

1216acf5840aaf71c9d2dcb7bab8f64eadbde882200e2e1462f734268d7e52640de3a2ade1c33819b528cd564c94acec130ecf1d5d8797b2f2146c6f210fffed
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:QGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2716	omsecor.exe
2640	omsecor.exe
1500	omsecor.exe
1416	omsecor.exe
1808	omsecor.exe
2144	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3036	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
3036	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
2716	omsecor.exe
2640	omsecor.exe
2640	omsecor.exe
1416	omsecor.exe
1416	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 3036	2872	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	30
PID 2716 set thread context of 2640	2716	omsecor.exe	32
PID 1500 set thread context of 1416	1500	omsecor.exe	35
PID 1808 set thread context of 2144	1808	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 3036	2872	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	30
PID 2872 wrote to memory of 3036	2872	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	30
PID 2872 wrote to memory of 3036	2872	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	30
PID 2872 wrote to memory of 3036	2872	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	30
PID 2872 wrote to memory of 3036	2872	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	30
PID 2872 wrote to memory of 3036	2872	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	30
PID 3036 wrote to memory of 2716	3036	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	31
PID 3036 wrote to memory of 2716	3036	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	31
PID 3036 wrote to memory of 2716	3036	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	31
PID 3036 wrote to memory of 2716	3036	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	31
PID 2716 wrote to memory of 2640	2716	omsecor.exe	32
PID 2716 wrote to memory of 2640	2716	omsecor.exe	32
PID 2716 wrote to memory of 2640	2716	omsecor.exe	32
PID 2716 wrote to memory of 2640	2716	omsecor.exe	32
PID 2716 wrote to memory of 2640	2716	omsecor.exe	32
PID 2716 wrote to memory of 2640	2716	omsecor.exe	32
PID 2640 wrote to memory of 1500	2640	omsecor.exe	34
PID 2640 wrote to memory of 1500	2640	omsecor.exe	34
PID 2640 wrote to memory of 1500	2640	omsecor.exe	34
PID 2640 wrote to memory of 1500	2640	omsecor.exe	34
PID 1500 wrote to memory of 1416	1500	omsecor.exe	35
PID 1500 wrote to memory of 1416	1500	omsecor.exe	35
PID 1500 wrote to memory of 1416	1500	omsecor.exe	35
PID 1500 wrote to memory of 1416	1500	omsecor.exe	35
PID 1500 wrote to memory of 1416	1500	omsecor.exe	35
PID 1500 wrote to memory of 1416	1500	omsecor.exe	35
PID 1416 wrote to memory of 1808	1416	omsecor.exe	36
PID 1416 wrote to memory of 1808	1416	omsecor.exe	36
PID 1416 wrote to memory of 1808	1416	omsecor.exe	36
PID 1416 wrote to memory of 1808	1416	omsecor.exe	36
PID 1808 wrote to memory of 2144	1808	omsecor.exe	37
PID 1808 wrote to memory of 2144	1808	omsecor.exe	37
PID 1808 wrote to memory of 2144	1808	omsecor.exe	37
PID 1808 wrote to memory of 2144	1808	omsecor.exe	37
PID 1808 wrote to memory of 2144	1808	omsecor.exe	37
PID 1808 wrote to memory of 2144	1808	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
"C:\Users\Admin\AppData\Local\Temp\ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
  C:\Users\Admin\AppData\Local\Temp\ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d1298028b4d4f9b9918e50d5985ddc56

SHA1
a2da6a52111b7270b2502d4f55dbafdcb7534662

SHA256
d77c7f4c917974677df247b5e7b7c18d9bf3ea2ea726a3a514cdb2783ffd764b

SHA512
4a6fb383d9dad09b2cfe13d3232af4c26d3d09a51a34f769d1aea0124f0617e50cdc1aa99d721d9db86556824220e6b0752e5c1e9d7eb54632eda68aee1c40dd

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c07e41f67dbea4a6dd6d7bf541848c4c

SHA1
6da6dd385d45736a623182791be973639a5d0b8f

SHA256
b10c0fc0782b096766ecb42fe854d35f9e6bea54f493c9c56c8b7db21c76f623

SHA512
52c3cab44df21d27f1b0a24f47263cd67fc31cfd2442634192c12c5abc50d4eea924d0b047fe5b2afed71049636bbd8dd5f9ca56b201ff8dbccc8cd57d3ae87c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
ad05607ac38718f739c4c0ae9aeb9d4b

SHA1
eda1c10372484843d8665956d0f74e9af118c703

SHA256
d9dcb6fb3114d4acc675355f4f194cfdba76cc8d80474f633dcc364dc9d8d317

SHA512
770457af99ddafa9074b5aa17558220db00e33d6f78923af42cba591df7d30d02bf06fa227169c361167fdf3c5aa1dfd0c690cf3fe6f3f52508cc52dc0855842

Download Submit
memory/1416-69-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1500-63-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1500-55-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1808-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2144-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2716-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2872-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2872-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3036-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3036-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download