neconyd | ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
Size

96KB
MD5

4fdc5b677988c7885e6b14e5a0c505c0
SHA1

14880f4ab2c99d1ca349809190b4bc71b8cb94ea
SHA256

ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3
SHA512

59831e9966e15e173a5b00c9fe8c03937c4a5d037a496cd99e4d92448d469c7375020eee5a7a542340d978d58087d389716de4ad5eb2a2056adae9bdb837971b
SSDEEP

1536:LnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxO:LGs8cd8eXlYairZYqMddH13O

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2120	omsecor.exe
2924	omsecor.exe
2796	omsecor.exe
2000	omsecor.exe
2944	omsecor.exe
2464	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2488	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
2488	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
2120	omsecor.exe
2924	omsecor.exe
2924	omsecor.exe
2000	omsecor.exe
2000	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 2488	1696	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe	30
PID 2120 set thread context of 2924	2120	omsecor.exe	32
PID 2796 set thread context of 2000	2796	omsecor.exe	36
PID 2944 set thread context of 2464	2944	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2488	1696	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe	30
PID 1696 wrote to memory of 2488	1696	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe	30
PID 1696 wrote to memory of 2488	1696	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe	30
PID 1696 wrote to memory of 2488	1696	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe	30
PID 1696 wrote to memory of 2488	1696	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe	30
PID 1696 wrote to memory of 2488	1696	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe	30
PID 2488 wrote to memory of 2120	2488	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe	31
PID 2488 wrote to memory of 2120	2488	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe	31
PID 2488 wrote to memory of 2120	2488	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe	31
PID 2488 wrote to memory of 2120	2488	ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe	31
PID 2120 wrote to memory of 2924	2120	omsecor.exe	32
PID 2120 wrote to memory of 2924	2120	omsecor.exe	32
PID 2120 wrote to memory of 2924	2120	omsecor.exe	32
PID 2120 wrote to memory of 2924	2120	omsecor.exe	32
PID 2120 wrote to memory of 2924	2120	omsecor.exe	32
PID 2120 wrote to memory of 2924	2120	omsecor.exe	32
PID 2924 wrote to memory of 2796	2924	omsecor.exe	35
PID 2924 wrote to memory of 2796	2924	omsecor.exe	35
PID 2924 wrote to memory of 2796	2924	omsecor.exe	35
PID 2924 wrote to memory of 2796	2924	omsecor.exe	35
PID 2796 wrote to memory of 2000	2796	omsecor.exe	36
PID 2796 wrote to memory of 2000	2796	omsecor.exe	36
PID 2796 wrote to memory of 2000	2796	omsecor.exe	36
PID 2796 wrote to memory of 2000	2796	omsecor.exe	36
PID 2796 wrote to memory of 2000	2796	omsecor.exe	36
PID 2796 wrote to memory of 2000	2796	omsecor.exe	36
PID 2000 wrote to memory of 2944	2000	omsecor.exe	37
PID 2000 wrote to memory of 2944	2000	omsecor.exe	37
PID 2000 wrote to memory of 2944	2000	omsecor.exe	37
PID 2000 wrote to memory of 2944	2000	omsecor.exe	37
PID 2944 wrote to memory of 2464	2944	omsecor.exe	38
PID 2944 wrote to memory of 2464	2944	omsecor.exe	38
PID 2944 wrote to memory of 2464	2944	omsecor.exe	38
PID 2944 wrote to memory of 2464	2944	omsecor.exe	38
PID 2944 wrote to memory of 2464	2944	omsecor.exe	38
PID 2944 wrote to memory of 2464	2944	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
"C:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
  C:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4124807dc4306feab598aadbce7409f8

SHA1
02f818dae5160c130f63cb6280e2666ba6d144f5

SHA256
6d4390d6050a19e0ecb040f0d2fe7a84909b59bb34d35de7816dd0b8bcd2b2f8

SHA512
43d7930035a128084880907f3c1a5f2e468fba57629bb4bbe65c0f515b03177aa0aced2299c51c18f5d640940b70af0d7b939341e5d3e4dcba190505e8dc290d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f06be528fdf6a85594028d7cad94629f

SHA1
6993afc243aeada9e1e724e6b5285d93cce7f511

SHA256
c9405a6123ce8f1d33ef9356c9c1068a5ab77cb5e816106078f755d1eeeda386

SHA512
acdd4e32a9cd2b910a620287cd7d1cc0ea93bf83dabe32e1cf29385d03882159a3595a06fcf048c0ff9e3a8dd251bdeab9054571cccff075ea2cf88ecd9d2362

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
92ac9be63bd5ab7a01041c36f2f2e059

SHA1
6e09c36826ea47b652a19b62ab48ed4e60d7ea4a

SHA256
5b71081a181d0ba5aa343c182bb285e5c70aa5804fd3103dcb5bb77d8f993fe9

SHA512
d9125bf6eeb0ebf50bd8948d98e447fbb8c1566189fbaab4c4ac0f1409ebbc163738bcf0eee20b81d172b7c83b06e31842d629c302d07c6348684959bb0189cc

Download Submit
memory/1696-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1696-8-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/1696-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1696-36-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2000-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2120-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2120-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2464-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2488-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2488-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2488-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2488-17-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2488-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2488-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2796-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2924-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-49-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2924-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2944-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2944-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download