neconyd | 2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09be

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
Size

96KB
MD5

321909c591b4066fc06703effea9a2d0
SHA1

47b843e133c66949d6f6b38ba6df870d624486b9
SHA256

2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09be
SHA512

9dcbf4fb3bb4c3bfcdfda9f12e5cf89e46f80ee4d0ddd5a535138c703fdbbc24198e20175d71ee065f8ec579e54a700c1414ff143fc72fdee6ebe7ad8dcf9ad3
SSDEEP

1536:rnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:rGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2084	omsecor.exe
2236	omsecor.exe
1884	omsecor.exe
2936	omsecor.exe
2812	omsecor.exe
2724	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2540	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
2540	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
2084	omsecor.exe
2236	omsecor.exe
2236	omsecor.exe
2936	omsecor.exe
2936	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 2540	2076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	30
PID 2084 set thread context of 2236	2084	omsecor.exe	32
PID 1884 set thread context of 2936	1884	omsecor.exe	36
PID 2812 set thread context of 2724	2812	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2540	2076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	30
PID 2076 wrote to memory of 2540	2076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	30
PID 2076 wrote to memory of 2540	2076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	30
PID 2076 wrote to memory of 2540	2076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	30
PID 2076 wrote to memory of 2540	2076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	30
PID 2076 wrote to memory of 2540	2076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	30
PID 2540 wrote to memory of 2084	2540	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	31
PID 2540 wrote to memory of 2084	2540	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	31
PID 2540 wrote to memory of 2084	2540	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	31
PID 2540 wrote to memory of 2084	2540	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	31
PID 2084 wrote to memory of 2236	2084	omsecor.exe	32
PID 2084 wrote to memory of 2236	2084	omsecor.exe	32
PID 2084 wrote to memory of 2236	2084	omsecor.exe	32
PID 2084 wrote to memory of 2236	2084	omsecor.exe	32
PID 2084 wrote to memory of 2236	2084	omsecor.exe	32
PID 2084 wrote to memory of 2236	2084	omsecor.exe	32
PID 2236 wrote to memory of 1884	2236	omsecor.exe	35
PID 2236 wrote to memory of 1884	2236	omsecor.exe	35
PID 2236 wrote to memory of 1884	2236	omsecor.exe	35
PID 2236 wrote to memory of 1884	2236	omsecor.exe	35
PID 1884 wrote to memory of 2936	1884	omsecor.exe	36
PID 1884 wrote to memory of 2936	1884	omsecor.exe	36
PID 1884 wrote to memory of 2936	1884	omsecor.exe	36
PID 1884 wrote to memory of 2936	1884	omsecor.exe	36
PID 1884 wrote to memory of 2936	1884	omsecor.exe	36
PID 1884 wrote to memory of 2936	1884	omsecor.exe	36
PID 2936 wrote to memory of 2812	2936	omsecor.exe	37
PID 2936 wrote to memory of 2812	2936	omsecor.exe	37
PID 2936 wrote to memory of 2812	2936	omsecor.exe	37
PID 2936 wrote to memory of 2812	2936	omsecor.exe	37
PID 2812 wrote to memory of 2724	2812	omsecor.exe	38
PID 2812 wrote to memory of 2724	2812	omsecor.exe	38
PID 2812 wrote to memory of 2724	2812	omsecor.exe	38
PID 2812 wrote to memory of 2724	2812	omsecor.exe	38
PID 2812 wrote to memory of 2724	2812	omsecor.exe	38
PID 2812 wrote to memory of 2724	2812	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
"C:\Users\Admin\AppData\Local\Temp\2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
  C:\Users\Admin\AppData\Local\Temp\2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
24f1179855a33330c59210abe9e1ba76

SHA1
d29bbace42c978c896081642cc37c58c8beb81a6

SHA256
9d674cdd28d6708691eccb9691c401af0a3d74ac341df409a4d7325c86ed8ec7

SHA512
53e536026f848b74e6a4c09aa3065f38593f2cad92dfd50f3447ed5b16a0cec7ebb0172a16b2b371c78c2e306c4bc1b65e789a4a8e83c464ca24ec2f5c99bdde

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
db4961631a26ea61bb02ce63a4d4b751

SHA1
94cedf9e6790664a0ed94e371c4471547eccfb8b

SHA256
00b99e2b65730a4f4573b4617f7ffe3c4ac09ffb8c12993fef38b02503b5c3fd

SHA512
6a62618eb6407ddd9de74a46915cd48b283997d6687d4d221f27b70ef206d9f73150f144a50b0718116a92f51df8c39cecea8c57c18aa7961162cb1d2582ad15

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f74618d92ec28c87c75405bc239e125f

SHA1
37f585ebddb19a506a3f78194877b33898cc581b

SHA256
70be7d8d70576af259b74d0874744648a9bd8a65cd5c833927f2c9c02e83425f

SHA512
a3dca17edb71a07a380bfae30bba3b44d02d1d2fc9b4a0af9bd56ad0829beea2eefb1a5a8ce8571ab08ac7fcb49df7ba160e6ace339b70c6877517d0087fcd44

Download Submit
memory/1884-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2076-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2076-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2084-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2084-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2084-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2236-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-47-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2236-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2812-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2936-70-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download