neconyd | 1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe
Size

96KB
MD5

de08d653fa129b10cd40b2b869573be8
SHA1

2164c63aced87d14e6544bd63cf79f4d2f5d4aca
SHA256

1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5
SHA512

06bb45bfe88c50892fc2b23faf9ddb22a211378dda508a6fee2a6561ce864ee08a7a187b34839f69a4e3b965f9b9d9c896b312245fd8d60368e6659e178bfd66
SSDEEP

1536:NnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:NGs8cd8eXlYairZYqMddH13R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2780	omsecor.exe
2712	omsecor.exe
852	omsecor.exe
2044	omsecor.exe
2052	omsecor.exe
2764	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2416	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe
2416	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe
2780	omsecor.exe
2712	omsecor.exe
2712	omsecor.exe
2044	omsecor.exe
2044	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2660 set thread context of 2416	2660	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe	30
PID 2780 set thread context of 2712	2780	omsecor.exe	32
PID 852 set thread context of 2044	852	omsecor.exe	36
PID 2052 set thread context of 2764	2052	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2416	2660	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe	30
PID 2660 wrote to memory of 2416	2660	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe	30
PID 2660 wrote to memory of 2416	2660	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe	30
PID 2660 wrote to memory of 2416	2660	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe	30
PID 2660 wrote to memory of 2416	2660	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe	30
PID 2660 wrote to memory of 2416	2660	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe	30
PID 2416 wrote to memory of 2780	2416	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe	31
PID 2416 wrote to memory of 2780	2416	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe	31
PID 2416 wrote to memory of 2780	2416	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe	31
PID 2416 wrote to memory of 2780	2416	1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe	31
PID 2780 wrote to memory of 2712	2780	omsecor.exe	32
PID 2780 wrote to memory of 2712	2780	omsecor.exe	32
PID 2780 wrote to memory of 2712	2780	omsecor.exe	32
PID 2780 wrote to memory of 2712	2780	omsecor.exe	32
PID 2780 wrote to memory of 2712	2780	omsecor.exe	32
PID 2780 wrote to memory of 2712	2780	omsecor.exe	32
PID 2712 wrote to memory of 852	2712	omsecor.exe	35
PID 2712 wrote to memory of 852	2712	omsecor.exe	35
PID 2712 wrote to memory of 852	2712	omsecor.exe	35
PID 2712 wrote to memory of 852	2712	omsecor.exe	35
PID 852 wrote to memory of 2044	852	omsecor.exe	36
PID 852 wrote to memory of 2044	852	omsecor.exe	36
PID 852 wrote to memory of 2044	852	omsecor.exe	36
PID 852 wrote to memory of 2044	852	omsecor.exe	36
PID 852 wrote to memory of 2044	852	omsecor.exe	36
PID 852 wrote to memory of 2044	852	omsecor.exe	36
PID 2044 wrote to memory of 2052	2044	omsecor.exe	37
PID 2044 wrote to memory of 2052	2044	omsecor.exe	37
PID 2044 wrote to memory of 2052	2044	omsecor.exe	37
PID 2044 wrote to memory of 2052	2044	omsecor.exe	37
PID 2052 wrote to memory of 2764	2052	omsecor.exe	38
PID 2052 wrote to memory of 2764	2052	omsecor.exe	38
PID 2052 wrote to memory of 2764	2052	omsecor.exe	38
PID 2052 wrote to memory of 2764	2052	omsecor.exe	38
PID 2052 wrote to memory of 2764	2052	omsecor.exe	38
PID 2052 wrote to memory of 2764	2052	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe
"C:\Users\Admin\AppData\Local\Temp\1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe
  C:\Users\Admin\AppData\Local\Temp\1863f8ffd273a7d21d813c004bbee88e27ceed12faba042880bd1bb72a3b14d5.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
fdce8879327ace3e78a5b3d507032650

SHA1
0fed7aa14e8ee03a80b20bd6948d230e1127a550

SHA256
75389f80b36d5d36ff5f6f1cb2ab9436dad0ceace924191551c5d0feac620de5

SHA512
30bfd31a7a8e7a64dbdeae3592529fcd8ced241268d027f0f47765deaf128f031c86b2d7d335844b3791df446462760ce04cf9679d4b5b2f21f6e855d6be6f48

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
89d0bc17a00e69507559610ce8b585cc

SHA1
cb6c76d62ccf70199e75fa2bce07be92faaa7ebd

SHA256
1dd0b04a839000d4bdae3d4a7153ce8a948f35c9bca4727df97c0a3916a9686a

SHA512
c62beb84a77aabd302f6febc60b4a60512c6577d6bc94328e82f7c22cbf4444660dcd801f694a4d9cee1f59a665786433ec7e6d3641d6ff29a0146404f8a1996

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c33f2840bbf969bdc73b65d732d96385

SHA1
bd3aecdc2c9f5dbd888a7e0c999b1114e79baa03

SHA256
a3fb7d3d600f49f2ee2a0aa9f280413be82e46442fdb31f46a872d6845dca796

SHA512
3e986a74903adaed8f913159b5de2563857044001aac635b3f5c22cb4cb37277f1cb80fa6e23d436d6de12e09bc51f504e5118f6f35613544234a0a8b41c8024

Download Submit
memory/852-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/852-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2044-74-0x0000000000260000-0x0000000000283000-memory.dmp

Filesize
140KB

Download
memory/2052-82-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2052-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2416-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2416-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2660-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2712-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2712-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2712-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2712-56-0x00000000005A0000-0x00000000005C3000-memory.dmp

Filesize
140KB

Download
memory/2712-49-0x00000000005A0000-0x00000000005C3000-memory.dmp

Filesize
140KB

Download
memory/2712-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2712-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2764-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2780-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2780-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2780-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download