neconyd | 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe
Size

96KB
MD5

e108e8f374797fefd9917f5563343b00
SHA1

306763d0a77657d638e093d4ac809187f709cf27
SHA256

6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1
SHA512

1cca39848bd09ef84a534d98a8a725272ae23ad054978b4d96c63cc12d30339119b97c9b8a79709fe00ff6797adc2aea9e8fd878147002f93abe51fede03aaad
SSDEEP

1536:BnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:BGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2032	omsecor.exe
2724	omsecor.exe
956	omsecor.exe
1988	omsecor.exe
284	omsecor.exe
2764	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2060	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe
2060	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe
2032	omsecor.exe
2724	omsecor.exe
2724	omsecor.exe
1988	omsecor.exe
1988	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 2060	2464	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe	31
PID 2032 set thread context of 2724	2032	omsecor.exe	33
PID 956 set thread context of 1988	956	omsecor.exe	36
PID 284 set thread context of 2764	284	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2060	2464	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe	31
PID 2464 wrote to memory of 2060	2464	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe	31
PID 2464 wrote to memory of 2060	2464	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe	31
PID 2464 wrote to memory of 2060	2464	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe	31
PID 2464 wrote to memory of 2060	2464	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe	31
PID 2464 wrote to memory of 2060	2464	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe	31
PID 2060 wrote to memory of 2032	2060	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe	32
PID 2060 wrote to memory of 2032	2060	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe	32
PID 2060 wrote to memory of 2032	2060	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe	32
PID 2060 wrote to memory of 2032	2060	6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe	32
PID 2032 wrote to memory of 2724	2032	omsecor.exe	33
PID 2032 wrote to memory of 2724	2032	omsecor.exe	33
PID 2032 wrote to memory of 2724	2032	omsecor.exe	33
PID 2032 wrote to memory of 2724	2032	omsecor.exe	33
PID 2032 wrote to memory of 2724	2032	omsecor.exe	33
PID 2032 wrote to memory of 2724	2032	omsecor.exe	33
PID 2724 wrote to memory of 956	2724	omsecor.exe	35
PID 2724 wrote to memory of 956	2724	omsecor.exe	35
PID 2724 wrote to memory of 956	2724	omsecor.exe	35
PID 2724 wrote to memory of 956	2724	omsecor.exe	35
PID 956 wrote to memory of 1988	956	omsecor.exe	36
PID 956 wrote to memory of 1988	956	omsecor.exe	36
PID 956 wrote to memory of 1988	956	omsecor.exe	36
PID 956 wrote to memory of 1988	956	omsecor.exe	36
PID 956 wrote to memory of 1988	956	omsecor.exe	36
PID 956 wrote to memory of 1988	956	omsecor.exe	36
PID 1988 wrote to memory of 284	1988	omsecor.exe	37
PID 1988 wrote to memory of 284	1988	omsecor.exe	37
PID 1988 wrote to memory of 284	1988	omsecor.exe	37
PID 1988 wrote to memory of 284	1988	omsecor.exe	37
PID 284 wrote to memory of 2764	284	omsecor.exe	38
PID 284 wrote to memory of 2764	284	omsecor.exe	38
PID 284 wrote to memory of 2764	284	omsecor.exe	38
PID 284 wrote to memory of 2764	284	omsecor.exe	38
PID 284 wrote to memory of 2764	284	omsecor.exe	38
PID 284 wrote to memory of 2764	284	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe
"C:\Users\Admin\AppData\Local\Temp\6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe
  C:\Users\Admin\AppData\Local\Temp\6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:956
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d2188cf7527ee0bdf3d1f037e88d9e74

SHA1
6dcd97d3ff0b44fb5dfb9801960a20f58ad6aee9

SHA256
d3e18d63f91591946a7c43c3d14706bf1260d85a603a2b60bbbf78dbd47413fa

SHA512
e18f2e985ec7b79cf57f3090cb30c4608c1f9ca467e41cf6c8bec90ce4d242bb27ef5f80dbe987bef36f89ebcde181e87698bc56d6936cd9282daa28db251434

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4e8ee183967d416d936d5289fe84c678

SHA1
0daa517cee82f77f7ce5334fd9d01ed403fe08fb

SHA256
0fab7576d482b9da376297ce04280c1960c7792306451829b1def280acbc15e3

SHA512
7cb5b7401b1595aa007ff6c2eadee969e9bc7810e1ef0b4bce6a0e9bd3858703c06f6d9fd005fe216f28618479be3e633d854834b304a79b67e53605a19fc69a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
72148942da019133b7db77ec0e8d2c77

SHA1
7fe8bfa996c082e97160681d4189eb0bb0664cc3

SHA256
f1c429cded3b7c803758df98582773a0c7ddf2e5e1faf4b60aadcac04c6da546

SHA512
165b8077c8cdafce794d3e60a6e58d6232ce66d36b0deaaa4528f548f7fd5d79834adedcd7b5d655276fbaf730dc717805f8940f6963ea2a66515086d5105bca

Download Submit
memory/284-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/284-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/956-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/956-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1988-72-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2032-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2032-24-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2032-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2060-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2060-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2060-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2060-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2464-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2464-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2724-48-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2724-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-54-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2724-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2764-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download