neconyd | 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
Size

96KB
MD5

6d3dc9d6bd7adee40728b253e2eb0780
SHA1

a86a05578acb4d0627f7d85af8a39433da702194
SHA256

6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147b
SHA512

bf635ffe96a0b02ed884ad962d023f204bbe1d7a33fddc951cf1fcd34b7abc304ca5345287dd823c5413944433b3a14a358307fd0829dc29f3fe768e2fc48357
SSDEEP

1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:4Gs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2740	omsecor.exe
2672	omsecor.exe
532	omsecor.exe
1092	omsecor.exe
2032	omsecor.exe
2176	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2084	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
2084	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
2740	omsecor.exe
2672	omsecor.exe
2672	omsecor.exe
1092	omsecor.exe
1092	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2848 set thread context of 2084	2848	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe	31
PID 2740 set thread context of 2672	2740	omsecor.exe	33
PID 532 set thread context of 1092	532	omsecor.exe	37
PID 2032 set thread context of 2176	2032	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2084	2848	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe	31
PID 2848 wrote to memory of 2084	2848	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe	31
PID 2848 wrote to memory of 2084	2848	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe	31
PID 2848 wrote to memory of 2084	2848	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe	31
PID 2848 wrote to memory of 2084	2848	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe	31
PID 2848 wrote to memory of 2084	2848	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe	31
PID 2084 wrote to memory of 2740	2084	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe	32
PID 2084 wrote to memory of 2740	2084	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe	32
PID 2084 wrote to memory of 2740	2084	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe	32
PID 2084 wrote to memory of 2740	2084	6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe	32
PID 2740 wrote to memory of 2672	2740	omsecor.exe	33
PID 2740 wrote to memory of 2672	2740	omsecor.exe	33
PID 2740 wrote to memory of 2672	2740	omsecor.exe	33
PID 2740 wrote to memory of 2672	2740	omsecor.exe	33
PID 2740 wrote to memory of 2672	2740	omsecor.exe	33
PID 2740 wrote to memory of 2672	2740	omsecor.exe	33
PID 2672 wrote to memory of 532	2672	omsecor.exe	36
PID 2672 wrote to memory of 532	2672	omsecor.exe	36
PID 2672 wrote to memory of 532	2672	omsecor.exe	36
PID 2672 wrote to memory of 532	2672	omsecor.exe	36
PID 532 wrote to memory of 1092	532	omsecor.exe	37
PID 532 wrote to memory of 1092	532	omsecor.exe	37
PID 532 wrote to memory of 1092	532	omsecor.exe	37
PID 532 wrote to memory of 1092	532	omsecor.exe	37
PID 532 wrote to memory of 1092	532	omsecor.exe	37
PID 532 wrote to memory of 1092	532	omsecor.exe	37
PID 1092 wrote to memory of 2032	1092	omsecor.exe	38
PID 1092 wrote to memory of 2032	1092	omsecor.exe	38
PID 1092 wrote to memory of 2032	1092	omsecor.exe	38
PID 1092 wrote to memory of 2032	1092	omsecor.exe	38
PID 2032 wrote to memory of 2176	2032	omsecor.exe	39
PID 2032 wrote to memory of 2176	2032	omsecor.exe	39
PID 2032 wrote to memory of 2176	2032	omsecor.exe	39
PID 2032 wrote to memory of 2176	2032	omsecor.exe	39
PID 2032 wrote to memory of 2176	2032	omsecor.exe	39
PID 2032 wrote to memory of 2176	2032	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
"C:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
  C:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
df24be91929341411994d9c5d5df22c9

SHA1
c947478174e353d33dad3244fc79ddae1be3e703

SHA256
bb5f489b34c4001feae77f356975ffe2007b2c566820753122ced0ffc504a268

SHA512
088f54fd412db3564f1be4e0ce79ad305cee6cae65ef3e65dcc3aa003927e0ddecf99326f789fb199988de5428eb0f4d451bc0cec1d82f417a61e148ea3c54ec

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
41a6673d119cdf2895589c85f051f65f

SHA1
af37d1379249a27136beb92dc42b6e6fe1ad8e87

SHA256
e8cc541546d613b59e1af9f0363ae86243d52254ea1815b479173f3fa220e469

SHA512
4049e802357dc5a24257b32b673a00cc0ef21cde0bc93ba81455bb608f0e0a2c8920d8996fff8ab11cf1b47cfba69eb717ff8f5a3429117e7413d1f2f3e5d905

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
966e0a1ac38082ce57faa597403082db

SHA1
300ba3db9f9305e31cc80e90d23e2d753f071b72

SHA256
6d2a8e5251c2b3a2bb0298f06d913a57355e3f72ef606744fa79bc86a3a71ba7

SHA512
93d4ba0bd007c735c38d78129ca14d01b738e7cc307b8f28f5043f8bdf12849adfb721321f00ff05cc227c79182bbf2da63f70f31f3fa841f084dd56605b762a

Download Submit
memory/532-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1092-70-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2032-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2032-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2084-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2084-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-47-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2672-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2740-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2740-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2740-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2848-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2848-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download