neconyd | 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0

Analysis

max time kernel
116s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Size

96KB
MD5

f52b87b3a347a98aaa214c53bbf3e320
SHA1

88f7e62d9b4acbb8b1a34c6c91929f4565797b4e
SHA256

123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0
SHA512

75b896379303f12c88f3b7097356df19662898761803d1cac699491a357f3bf3bdcc2487e187335983ef6c464f5eeb8e0aec47d4c866ae04246ccde05731bcf1
SSDEEP

1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:4Gs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2072	omsecor.exe
2332	omsecor.exe
2688	omsecor.exe
2416	omsecor.exe
632	omsecor.exe
1920	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3008	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
3008	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
2072	omsecor.exe
2332	omsecor.exe
2332	omsecor.exe
2416	omsecor.exe
2416	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3004 set thread context of 3008	3004	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	29
PID 2072 set thread context of 2332	2072	omsecor.exe	31
PID 2688 set thread context of 2416	2688	omsecor.exe	34
PID 632 set thread context of 1920	632	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 3008	3004	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	29
PID 3004 wrote to memory of 3008	3004	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	29
PID 3004 wrote to memory of 3008	3004	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	29
PID 3004 wrote to memory of 3008	3004	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	29
PID 3004 wrote to memory of 3008	3004	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	29
PID 3004 wrote to memory of 3008	3004	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	29
PID 3008 wrote to memory of 2072	3008	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	30
PID 3008 wrote to memory of 2072	3008	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	30
PID 3008 wrote to memory of 2072	3008	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	30
PID 3008 wrote to memory of 2072	3008	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	30
PID 2072 wrote to memory of 2332	2072	omsecor.exe	31
PID 2072 wrote to memory of 2332	2072	omsecor.exe	31
PID 2072 wrote to memory of 2332	2072	omsecor.exe	31
PID 2072 wrote to memory of 2332	2072	omsecor.exe	31
PID 2072 wrote to memory of 2332	2072	omsecor.exe	31
PID 2072 wrote to memory of 2332	2072	omsecor.exe	31
PID 2332 wrote to memory of 2688	2332	omsecor.exe	33
PID 2332 wrote to memory of 2688	2332	omsecor.exe	33
PID 2332 wrote to memory of 2688	2332	omsecor.exe	33
PID 2332 wrote to memory of 2688	2332	omsecor.exe	33
PID 2688 wrote to memory of 2416	2688	omsecor.exe	34
PID 2688 wrote to memory of 2416	2688	omsecor.exe	34
PID 2688 wrote to memory of 2416	2688	omsecor.exe	34
PID 2688 wrote to memory of 2416	2688	omsecor.exe	34
PID 2688 wrote to memory of 2416	2688	omsecor.exe	34
PID 2688 wrote to memory of 2416	2688	omsecor.exe	34
PID 2416 wrote to memory of 632	2416	omsecor.exe	35
PID 2416 wrote to memory of 632	2416	omsecor.exe	35
PID 2416 wrote to memory of 632	2416	omsecor.exe	35
PID 2416 wrote to memory of 632	2416	omsecor.exe	35
PID 632 wrote to memory of 1920	632	omsecor.exe	36
PID 632 wrote to memory of 1920	632	omsecor.exe	36
PID 632 wrote to memory of 1920	632	omsecor.exe	36
PID 632 wrote to memory of 1920	632	omsecor.exe	36
PID 632 wrote to memory of 1920	632	omsecor.exe	36
PID 632 wrote to memory of 1920	632	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
"C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
  C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3ed580a195e52b712ad98701276f22d8

SHA1
fdba91bb0cdfcd6f2f65fb551baa744d98b634c6

SHA256
8e4775af7a2110c3eb14285f90948e6933d1d9625c8391b76df32faea4436682

SHA512
acc842831c96d1ccc40691b02154a7575c5ffbcf95bcb0970cbc8e9367b8de7798ec19d9a8564c344de7566bd8a548022c3c1d787be0915a5498023ac7b7c8ae

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
216085c311aace2d5b61509caee07b20

SHA1
e52e1a728dc947009203814712f92258fc09886d

SHA256
31acc51124c3a0e20b3506ad24075b2efd154e170658a0c28eb8c2acd9103b08

SHA512
7d77a9128bd15eeb229362f75640cad0a37eae6de2db60982b21962639435f96b5d23306f2c26137b1d1d14105ac1a90d35a8cd8b8bdd88cba7bfb2cc566e813

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2d707eb52b14e5aa26575790a3dfe3a4

SHA1
2331803e9930f0ffc6d73f85013c6536552d0cec

SHA256
983874cb880cca33b5b81bf8945f0585b7e2b1d83c3b0647b59466123155b4a0

SHA512
35543a91dd455b9eefe50f82a6683278cd6b0b848f707c11ff0ba25e73d168eb2b5121c2e320393eadca3b9ac01fd1263001a4ace687bee0ee5cfe514223bb16

Download Submit
memory/632-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/632-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1920-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2072-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2332-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-54-0x00000000003A0000-0x00000000003C3000-memory.dmp

Filesize
140KB

Download
memory/2332-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-48-0x00000000003A0000-0x00000000003C3000-memory.dmp

Filesize
140KB

Download
memory/2332-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2688-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2688-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3004-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3004-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3008-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-13-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/3008-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download