neconyd | fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
Size

96KB
MD5

a63cd8ef554c8a42630a92a4fdde970c
SHA1

0530eb7362ca19d6aa953a7d35bbca034a01c751
SHA256

fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f
SHA512

567d55fae6070f24e6530079caade578961974ada1076f068183e8ee2ea6cc9c8b9d68f13751ea486a03420f26709089ef69a2e37b213a989be1a1c3d3ea7930
SSDEEP

1536:VnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:VGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2688	omsecor.exe
2892	omsecor.exe
676	omsecor.exe
264	omsecor.exe
2244	omsecor.exe
2208	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2812	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
2812	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
2688	omsecor.exe
2892	omsecor.exe
2892	omsecor.exe
264	omsecor.exe
264	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 2812	2788	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	31
PID 2688 set thread context of 2892	2688	omsecor.exe	33
PID 676 set thread context of 264	676	omsecor.exe	36
PID 2244 set thread context of 2208	2244	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2812	2788	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	31
PID 2788 wrote to memory of 2812	2788	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	31
PID 2788 wrote to memory of 2812	2788	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	31
PID 2788 wrote to memory of 2812	2788	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	31
PID 2788 wrote to memory of 2812	2788	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	31
PID 2788 wrote to memory of 2812	2788	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	31
PID 2812 wrote to memory of 2688	2812	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	32
PID 2812 wrote to memory of 2688	2812	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	32
PID 2812 wrote to memory of 2688	2812	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	32
PID 2812 wrote to memory of 2688	2812	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	32
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2688 wrote to memory of 2892	2688	omsecor.exe	33
PID 2892 wrote to memory of 676	2892	omsecor.exe	35
PID 2892 wrote to memory of 676	2892	omsecor.exe	35
PID 2892 wrote to memory of 676	2892	omsecor.exe	35
PID 2892 wrote to memory of 676	2892	omsecor.exe	35
PID 676 wrote to memory of 264	676	omsecor.exe	36
PID 676 wrote to memory of 264	676	omsecor.exe	36
PID 676 wrote to memory of 264	676	omsecor.exe	36
PID 676 wrote to memory of 264	676	omsecor.exe	36
PID 676 wrote to memory of 264	676	omsecor.exe	36
PID 676 wrote to memory of 264	676	omsecor.exe	36
PID 264 wrote to memory of 2244	264	omsecor.exe	37
PID 264 wrote to memory of 2244	264	omsecor.exe	37
PID 264 wrote to memory of 2244	264	omsecor.exe	37
PID 264 wrote to memory of 2244	264	omsecor.exe	37
PID 2244 wrote to memory of 2208	2244	omsecor.exe	38
PID 2244 wrote to memory of 2208	2244	omsecor.exe	38
PID 2244 wrote to memory of 2208	2244	omsecor.exe	38
PID 2244 wrote to memory of 2208	2244	omsecor.exe	38
PID 2244 wrote to memory of 2208	2244	omsecor.exe	38
PID 2244 wrote to memory of 2208	2244	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
"C:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
  C:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:676
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
578851fddd7b21fd7150f170fa0d7515

SHA1
0f23a7f6d78cfe276c2164d529c957b90d4c1d7e

SHA256
ca0ca53e0fab32fae81d36e547a8545e409831245742badb091724f2b0bc23b8

SHA512
13e6eda18ba946a44df3e9c6a41ce6c14fa3f7821eeba231207e0cf750607f16f275d13d9f39ba8f1a5344bc7ca582c1ee8a9caedb4356fdae3cac485f0ea525

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5bbac1be509af14adb7c39d74011088f

SHA1
59f32c2c3f457e39d34f2f205350ce1cb516f035

SHA256
64c74061fe4becde5b8028ad651bf088dc1a772d75b0d43399107a2dd0a280d0

SHA512
8f0c6c70d4df4c6e25dc930233180f979b75745b086d2c52a003c66fcf23f9b24bf4fbf7745c54c31e3c207e0bc83d4f131edff38c6f968526fe1fe201d10fe0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e00ba9345f7fe97ae8d61647cdb738ae

SHA1
d57e4164332168457a610fd07085a9391ae45e21

SHA256
d1c9e7345bd6c43cc97d21af1680d8c61ce20d96eaa0af1062e58243af29020f

SHA512
7c33cc5356bf2c376402f3c1e7c578813a74eb63d545ab49c09d93de2c5500202e83d39a4b0ae0e77ce06219198dee868921f9213006529a6e3ead469dd98a71

Download Submit
memory/264-72-0x0000000000260000-0x0000000000283000-memory.dmp

Filesize
140KB

Download
memory/676-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2208-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2244-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2688-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2688-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2788-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2788-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2812-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2812-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2812-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2812-14-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2812-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2812-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-55-0x0000000002390000-0x00000000023B3000-memory.dmp

Filesize
140KB

Download
memory/2892-47-0x0000000002390000-0x00000000023B3000-memory.dmp

Filesize
140KB

Download
memory/2892-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download