neconyd | 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
Size

96KB
MD5

8b2b21eebd1bb8f8765fff013b065ad0
SHA1

d838fa05cc4652376e0af6ec511417e5be1b68a3
SHA256

59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250
SHA512

d5e7ceac818d5cd23e53e999ce4f6633aaa4bfdb0838a3d59e11d1827fcab1d2d226fcab129a0a09a32c95fb672c08e3b2b843ef711c9ae6e60f3ad627df68dd
SSDEEP

1536:xnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:xGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2716	omsecor.exe
2724	omsecor.exe
2120	omsecor.exe
2040	omsecor.exe
2196	omsecor.exe
2332	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2692	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
2692	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
2716	omsecor.exe
2724	omsecor.exe
2724	omsecor.exe
2040	omsecor.exe
2040	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 2692	2252	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe	30
PID 2716 set thread context of 2724	2716	omsecor.exe	32
PID 2120 set thread context of 2040	2120	omsecor.exe	36
PID 2196 set thread context of 2332	2196	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2692	2252	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe	30
PID 2252 wrote to memory of 2692	2252	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe	30
PID 2252 wrote to memory of 2692	2252	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe	30
PID 2252 wrote to memory of 2692	2252	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe	30
PID 2252 wrote to memory of 2692	2252	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe	30
PID 2252 wrote to memory of 2692	2252	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe	30
PID 2692 wrote to memory of 2716	2692	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe	31
PID 2692 wrote to memory of 2716	2692	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe	31
PID 2692 wrote to memory of 2716	2692	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe	31
PID 2692 wrote to memory of 2716	2692	59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe	31
PID 2716 wrote to memory of 2724	2716	omsecor.exe	32
PID 2716 wrote to memory of 2724	2716	omsecor.exe	32
PID 2716 wrote to memory of 2724	2716	omsecor.exe	32
PID 2716 wrote to memory of 2724	2716	omsecor.exe	32
PID 2716 wrote to memory of 2724	2716	omsecor.exe	32
PID 2716 wrote to memory of 2724	2716	omsecor.exe	32
PID 2724 wrote to memory of 2120	2724	omsecor.exe	35
PID 2724 wrote to memory of 2120	2724	omsecor.exe	35
PID 2724 wrote to memory of 2120	2724	omsecor.exe	35
PID 2724 wrote to memory of 2120	2724	omsecor.exe	35
PID 2120 wrote to memory of 2040	2120	omsecor.exe	36
PID 2120 wrote to memory of 2040	2120	omsecor.exe	36
PID 2120 wrote to memory of 2040	2120	omsecor.exe	36
PID 2120 wrote to memory of 2040	2120	omsecor.exe	36
PID 2120 wrote to memory of 2040	2120	omsecor.exe	36
PID 2120 wrote to memory of 2040	2120	omsecor.exe	36
PID 2040 wrote to memory of 2196	2040	omsecor.exe	37
PID 2040 wrote to memory of 2196	2040	omsecor.exe	37
PID 2040 wrote to memory of 2196	2040	omsecor.exe	37
PID 2040 wrote to memory of 2196	2040	omsecor.exe	37
PID 2196 wrote to memory of 2332	2196	omsecor.exe	38
PID 2196 wrote to memory of 2332	2196	omsecor.exe	38
PID 2196 wrote to memory of 2332	2196	omsecor.exe	38
PID 2196 wrote to memory of 2332	2196	omsecor.exe	38
PID 2196 wrote to memory of 2332	2196	omsecor.exe	38
PID 2196 wrote to memory of 2332	2196	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
"C:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
  C:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d50b0bea50f7465cc517056daf3246d6

SHA1
a7951b8b88b403b49fa2d7f90afd3579a634bbb5

SHA256
2ecd9bdc1d1fa15698b152a7d56348423632ba4b0c3b17a7a106081dac5e0abf

SHA512
f4e7faa335caeb3b4a8c2281f5fe5c9cdbbb8c8d9b01640fcf87059f09f89e46a005821c61b5b4ce490a8a0ae4307cd01866b90c68974088411d13132db6692f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a1630f0e69f1b4b359f65ad94f2f1f04

SHA1
24e7033338976a695c0789b342b19ff9ea1c9b07

SHA256
54e755616171a813a17afac8348ee09c1961b24803e694949be0ff23e4a0ea0b

SHA512
58b1459a89cb4273bb36d02f83350c0d31c91064f5425bf40b29c32dfd031a6bd2f65781e001261bdcbd1da503522ca22ab0e25104f34b429ef007938be85f36

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
db8a72c27a825aea46eeebcdb80c4b32

SHA1
fc7609313a90eb1e5a3db4b1b1db048b380f1b5a

SHA256
5eda90176feb89c75074f57e0326b81fbadf3eb103127faa318049710f55b78d

SHA512
06556cd47fcbdbdae5ee2ed3a555f78d5f3e7823d6947cc22cbd5af775ee9172876d1e187f9a2f73ea5c3b0eb1c838edd76405631b8b4c58b42cddf43137da07

Download Submit
memory/2040-75-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2120-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2120-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2252-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2252-7-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2252-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2332-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-15-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2692-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-22-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2692-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2716-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2724-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-50-0x0000000000330000-0x0000000000353000-memory.dmp

Filesize
140KB

Download
memory/2724-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download