neconyd | 4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe
Size

96KB
MD5

e2939dea0aa94c39dbb06764957afc50
SHA1

1477cd7cd57d035e2dcd857ebcd89d5b622d4a5f
SHA256

4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8
SHA512

da3b7e541fc7fbf3a6c468eb0b8b8faf999a9247daadc28746941b7d979d3868ccd011c9794f5bcd858f271e9be53b37f8bdb4d1c84f644a38218cf0593e4eeb
SSDEEP

1536:CnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:CGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1724	omsecor.exe
2288	omsecor.exe
2532	omsecor.exe
672	omsecor.exe
836	omsecor.exe
3032	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2548	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe
2548	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe
1724	omsecor.exe
2288	omsecor.exe
2288	omsecor.exe
672	omsecor.exe
672	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 2548	2060	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe	30
PID 1724 set thread context of 2288	1724	omsecor.exe	32
PID 2532 set thread context of 672	2532	omsecor.exe	36
PID 836 set thread context of 3032	836	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2548	2060	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe	30
PID 2060 wrote to memory of 2548	2060	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe	30
PID 2060 wrote to memory of 2548	2060	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe	30
PID 2060 wrote to memory of 2548	2060	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe	30
PID 2060 wrote to memory of 2548	2060	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe	30
PID 2060 wrote to memory of 2548	2060	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe	30
PID 2548 wrote to memory of 1724	2548	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe	31
PID 2548 wrote to memory of 1724	2548	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe	31
PID 2548 wrote to memory of 1724	2548	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe	31
PID 2548 wrote to memory of 1724	2548	4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe	31
PID 1724 wrote to memory of 2288	1724	omsecor.exe	32
PID 1724 wrote to memory of 2288	1724	omsecor.exe	32
PID 1724 wrote to memory of 2288	1724	omsecor.exe	32
PID 1724 wrote to memory of 2288	1724	omsecor.exe	32
PID 1724 wrote to memory of 2288	1724	omsecor.exe	32
PID 1724 wrote to memory of 2288	1724	omsecor.exe	32
PID 2288 wrote to memory of 2532	2288	omsecor.exe	35
PID 2288 wrote to memory of 2532	2288	omsecor.exe	35
PID 2288 wrote to memory of 2532	2288	omsecor.exe	35
PID 2288 wrote to memory of 2532	2288	omsecor.exe	35
PID 2532 wrote to memory of 672	2532	omsecor.exe	36
PID 2532 wrote to memory of 672	2532	omsecor.exe	36
PID 2532 wrote to memory of 672	2532	omsecor.exe	36
PID 2532 wrote to memory of 672	2532	omsecor.exe	36
PID 2532 wrote to memory of 672	2532	omsecor.exe	36
PID 2532 wrote to memory of 672	2532	omsecor.exe	36
PID 672 wrote to memory of 836	672	omsecor.exe	37
PID 672 wrote to memory of 836	672	omsecor.exe	37
PID 672 wrote to memory of 836	672	omsecor.exe	37
PID 672 wrote to memory of 836	672	omsecor.exe	37
PID 836 wrote to memory of 3032	836	omsecor.exe	38
PID 836 wrote to memory of 3032	836	omsecor.exe	38
PID 836 wrote to memory of 3032	836	omsecor.exe	38
PID 836 wrote to memory of 3032	836	omsecor.exe	38
PID 836 wrote to memory of 3032	836	omsecor.exe	38
PID 836 wrote to memory of 3032	836	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe
"C:\Users\Admin\AppData\Local\Temp\4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe
  C:\Users\Admin\AppData\Local\Temp\4ce74e17a4e2520215895f43013ead5e175d7c9b4cced4a049b138ffeee76ae8.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
77abbac0c65ccd840798de8de84260bd

SHA1
e7bd8af7b556e8af410b3b795324cabad3325266

SHA256
e5a76af78f10e56ff41a5033c5cec3073ff01542fca1ef2c4957e2f45ffad10b

SHA512
d0b14368492c6149b63e2cd996fbaa02363286aa1adfd6064b095431f4c987abf0f74a06ab88a8c7b71299be3fdb6103de3f9dc12f7abb99fc517098f83ccf44

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ca29fe191a4ec32b42a66d67f23cb0bc

SHA1
d73fdfc31c6f35c75bd56cc9b8dd40e664b1e0ee

SHA256
6797609cc7543766c4bf3e702f7495d1d1f0441e11079b69b5229a98a2260ba3

SHA512
4c9fc164d313b8fa3c2f15fa65d1e70c187e2c06bd2054b1a562922a0feddaae2516c3b224ed7dfc0ccebc6f1d32b6bcf3ea25e44674baf3d2904981b559c2cc

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c3562d5920bfbe8a941b3c0c4c287d07

SHA1
2b4f8b8b4f0f344631c822efb98df7137c71eebf

SHA256
49c512fd34d2fb3cd0dbc72a936b7249ca6b624a780f2b93f58579311d57005b

SHA512
868eba606c2a5dda1f2b31aead42464b6b18f32127df20bdff12db1e305582fd5acdcf87dcd5b8b7e35c1b9d178292c51de8da3dd08ce54b2441f15ff0175580

Download Submit
memory/836-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/836-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1724-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1724-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-35-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2288-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2288-48-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2288-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2288-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2288-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2288-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2532-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2548-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2548-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2548-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2548-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2548-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3032-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download