neconyd | 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe
Size

96KB
MD5

3670275c7384e38596358f622b4e2772
SHA1

7b8ac062649c45de37410f1ad68fd0f0946a4f5f
SHA256

9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a
SHA512

539658eb04a49a72028cf67a907db3ccbf6426d18b72b2b29e1b77253aaebfdb0c15e55063e6e8b6e55b793fb43d2e0e61df2f96e4e02b219b6bb5f0d0015743
SSDEEP

1536:AnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:AGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2008	omsecor.exe
2636	omsecor.exe
1680	omsecor.exe
1912	omsecor.exe
2140	omsecor.exe
1244	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1512	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe
1512	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe
2008	omsecor.exe
2636	omsecor.exe
2636	omsecor.exe
1912	omsecor.exe
1912	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1484 set thread context of 1512	1484	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe	31
PID 2008 set thread context of 2636	2008	omsecor.exe	33
PID 1680 set thread context of 1912	1680	omsecor.exe	37
PID 2140 set thread context of 1244	2140	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1512	1484	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe	31
PID 1484 wrote to memory of 1512	1484	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe	31
PID 1484 wrote to memory of 1512	1484	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe	31
PID 1484 wrote to memory of 1512	1484	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe	31
PID 1484 wrote to memory of 1512	1484	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe	31
PID 1484 wrote to memory of 1512	1484	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe	31
PID 1512 wrote to memory of 2008	1512	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe	32
PID 1512 wrote to memory of 2008	1512	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe	32
PID 1512 wrote to memory of 2008	1512	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe	32
PID 1512 wrote to memory of 2008	1512	9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe	32
PID 2008 wrote to memory of 2636	2008	omsecor.exe	33
PID 2008 wrote to memory of 2636	2008	omsecor.exe	33
PID 2008 wrote to memory of 2636	2008	omsecor.exe	33
PID 2008 wrote to memory of 2636	2008	omsecor.exe	33
PID 2008 wrote to memory of 2636	2008	omsecor.exe	33
PID 2008 wrote to memory of 2636	2008	omsecor.exe	33
PID 2636 wrote to memory of 1680	2636	omsecor.exe	36
PID 2636 wrote to memory of 1680	2636	omsecor.exe	36
PID 2636 wrote to memory of 1680	2636	omsecor.exe	36
PID 2636 wrote to memory of 1680	2636	omsecor.exe	36
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1680 wrote to memory of 1912	1680	omsecor.exe	37
PID 1912 wrote to memory of 2140	1912	omsecor.exe	38
PID 1912 wrote to memory of 2140	1912	omsecor.exe	38
PID 1912 wrote to memory of 2140	1912	omsecor.exe	38
PID 1912 wrote to memory of 2140	1912	omsecor.exe	38
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39
PID 2140 wrote to memory of 1244	2140	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe
"C:\Users\Admin\AppData\Local\Temp\9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe
  C:\Users\Admin\AppData\Local\Temp\9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c6302ce30a3aaf0e3058a256753c7e67

SHA1
151dca9fa1d42ebf98fa13a1de180b4e5fd7731d

SHA256
d0c79d32ddeb6f2633117efc926cfb21ce6e27e25bb68a46c22ff368331c4e1d

SHA512
2ee700024f2c526a23a6389643bee1114882bb068ec5fcd57ac78b0daaa07e16d30adccdfe158e2305ce8f3f84f39221790d0b4adffec397e934bb71a4a4eaa5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
dbf4fac03b6efcec177aa8cb85c27afc

SHA1
1133d75a93546e0eb2206579cd50758bcba4fa8e

SHA256
613dc9e13fe8d830a3b2b97edae05d0d842e7b71839748ee190a3746b6414eea

SHA512
e5888c9920ca193c56942173b0948ff446ab1a8d85288052c77fb875488ab2ea52078a2f5f6c7fdf7b0e00877798d7629040f1d1abf055f731e9d846fe8e91c0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
3b48ee69b17a8ba0e83b8630ace093fa

SHA1
f0e6de7dd1338b98ac534bd75a4e8204dc8b80c9

SHA256
a4da886637c8db220b3c805ae55a1a49682269645a675adbcc53b49d95282f39

SHA512
0fc54dfbc5f3960be92421795dc2cf95529584180e31078069d8bda1279242f2fdff37537a763437191e468e5e4c90e72b7e67c0aa359d620a7da2e7daefaf6f

Download Submit
memory/1244-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1244-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1484-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1484-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1512-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1512-14-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/1512-20-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/1512-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1512-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1512-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1512-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1680-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1680-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2008-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2008-25-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2140-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2140-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2636-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-55-0x0000000001FD0000-0x0000000001FF3000-memory.dmp

Filesize
140KB

Download
memory/2636-54-0x0000000001FD0000-0x0000000001FF3000-memory.dmp

Filesize
140KB

Download
memory/2636-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download