neconyd | f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe
Size

96KB
MD5

2d17db80c746f102a1c36b1d22186bc1
SHA1

362c08b5441f1f9bdbe8871a272374304081a977
SHA256

f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1
SHA512

65fe3886cfe0de9ac02d01c7409d807d6255798f81c52771b504cfab1c695fbc800aa7c0cc11d8cc2e124a2eba194bd39b0e3a9289c7a86429c75727ac9b820b
SSDEEP

1536:xnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:xGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2064	omsecor.exe
860	omsecor.exe
2712	omsecor.exe
2932	omsecor.exe
1828	omsecor.exe
2348	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2696	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe
2696	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe
2064	omsecor.exe
860	omsecor.exe
860	omsecor.exe
2932	omsecor.exe
2932	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 2696	2692	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe	30
PID 2064 set thread context of 860	2064	omsecor.exe	32
PID 2712 set thread context of 2932	2712	omsecor.exe	36
PID 1828 set thread context of 2348	1828	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2696	2692	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe	30
PID 2692 wrote to memory of 2696	2692	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe	30
PID 2692 wrote to memory of 2696	2692	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe	30
PID 2692 wrote to memory of 2696	2692	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe	30
PID 2692 wrote to memory of 2696	2692	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe	30
PID 2692 wrote to memory of 2696	2692	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe	30
PID 2696 wrote to memory of 2064	2696	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe	31
PID 2696 wrote to memory of 2064	2696	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe	31
PID 2696 wrote to memory of 2064	2696	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe	31
PID 2696 wrote to memory of 2064	2696	f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe	31
PID 2064 wrote to memory of 860	2064	omsecor.exe	32
PID 2064 wrote to memory of 860	2064	omsecor.exe	32
PID 2064 wrote to memory of 860	2064	omsecor.exe	32
PID 2064 wrote to memory of 860	2064	omsecor.exe	32
PID 2064 wrote to memory of 860	2064	omsecor.exe	32
PID 2064 wrote to memory of 860	2064	omsecor.exe	32
PID 860 wrote to memory of 2712	860	omsecor.exe	35
PID 860 wrote to memory of 2712	860	omsecor.exe	35
PID 860 wrote to memory of 2712	860	omsecor.exe	35
PID 860 wrote to memory of 2712	860	omsecor.exe	35
PID 2712 wrote to memory of 2932	2712	omsecor.exe	36
PID 2712 wrote to memory of 2932	2712	omsecor.exe	36
PID 2712 wrote to memory of 2932	2712	omsecor.exe	36
PID 2712 wrote to memory of 2932	2712	omsecor.exe	36
PID 2712 wrote to memory of 2932	2712	omsecor.exe	36
PID 2712 wrote to memory of 2932	2712	omsecor.exe	36
PID 2932 wrote to memory of 1828	2932	omsecor.exe	37
PID 2932 wrote to memory of 1828	2932	omsecor.exe	37
PID 2932 wrote to memory of 1828	2932	omsecor.exe	37
PID 2932 wrote to memory of 1828	2932	omsecor.exe	37
PID 1828 wrote to memory of 2348	1828	omsecor.exe	38
PID 1828 wrote to memory of 2348	1828	omsecor.exe	38
PID 1828 wrote to memory of 2348	1828	omsecor.exe	38
PID 1828 wrote to memory of 2348	1828	omsecor.exe	38
PID 1828 wrote to memory of 2348	1828	omsecor.exe	38
PID 1828 wrote to memory of 2348	1828	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe
"C:\Users\Admin\AppData\Local\Temp\f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe
  C:\Users\Admin\AppData\Local\Temp\f9f1fa1a40b158ac1e233b3d18a11ba71ce760e379e01fba2200598bdf00a5c1.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
989c1d57b84e3cc6fc7068e40cb1ef91

SHA1
cf25f970e2bf352ab289b7d8525f7f0ba224d6cc

SHA256
a3f48785185fad31ba527be11a95833c0374fae11288f87dabe93065b87a5f3a

SHA512
576a492c9e919dad00d4ead3262c936fcb21769bc2b33b014502ce472f4e87dc96d95b0cddf3b7d43009469f9c46463513f0bf65e461a365ee9007d57724426e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9be6a7ec707889c75ad29c420590b797

SHA1
a250994182a0ff96fbed1de7f59caf143327f57c

SHA256
9d39f21e3bc76278b4f3efe2f06c3cf47c4276f0a44d35259c45718d97543350

SHA512
60f3ca86a1dcd6b0de090ce261605e94dc58ac6e4fdd1eb298583d418e05b6618c6216eea9612c840596f7fd0c62cce23aa1d12c08d766643df7ecd944d726ff

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2f2f577c6a793aa48bcd90e5135794a2

SHA1
fdd01a1b22077bacba20ec2f3f570c76363350ab

SHA256
e8831262469a90ab97bd67bc7d037ad90ea24b96633e63ba482a4d88f304b672

SHA512
a6305cbd2609308ff3eed564782e9fa6cdeabc58f42a70a4077a1f7cd7d309e6c373813444119e6310df730b602b457eac5502ccf95da5b33d963be88cf4ea98

Download Submit
memory/860-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-54-0x0000000001FD0000-0x0000000001FF3000-memory.dmp

Filesize
140KB

Download
memory/860-47-0x0000000001FD0000-0x0000000001FF3000-memory.dmp

Filesize
140KB

Download
memory/860-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1828-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1828-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2348-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2348-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2692-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2696-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2712-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2712-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2932-72-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download