neconyd | a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/01/2025, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
Size

96KB
MD5

3741f3d1409a19365929b6bd1dee01d6
SHA1

da584cee4bebddcd5f48bb30c883c8950b5e160d
SHA256

a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7
SHA512

37a764e84764ebf79138ea4cfa70d72ffd351d4ba3b8d23c97510452b7712bb15c7dda8f6189e69e19c8ae1bc06aa4f42eb299213a6d9b110ce75607d453e9e5
SSDEEP

1536:xnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxJ:xGs8cd8eXlYairZYqMddH13J

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2920	omsecor.exe
2000	omsecor.exe
1808	omsecor.exe
1192	omsecor.exe
1120	omsecor.exe
2956	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1944	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
1944	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
2920	omsecor.exe
2000	omsecor.exe
2000	omsecor.exe
1192	omsecor.exe
1192	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 1944	2336	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe	30
PID 2920 set thread context of 2000	2920	omsecor.exe	32
PID 1808 set thread context of 1192	1808	omsecor.exe	36
PID 1120 set thread context of 2956	1120	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1944	2336	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe	30
PID 2336 wrote to memory of 1944	2336	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe	30
PID 2336 wrote to memory of 1944	2336	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe	30
PID 2336 wrote to memory of 1944	2336	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe	30
PID 2336 wrote to memory of 1944	2336	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe	30
PID 2336 wrote to memory of 1944	2336	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe	30
PID 1944 wrote to memory of 2920	1944	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe	31
PID 1944 wrote to memory of 2920	1944	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe	31
PID 1944 wrote to memory of 2920	1944	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe	31
PID 1944 wrote to memory of 2920	1944	a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe	31
PID 2920 wrote to memory of 2000	2920	omsecor.exe	32
PID 2920 wrote to memory of 2000	2920	omsecor.exe	32
PID 2920 wrote to memory of 2000	2920	omsecor.exe	32
PID 2920 wrote to memory of 2000	2920	omsecor.exe	32
PID 2920 wrote to memory of 2000	2920	omsecor.exe	32
PID 2920 wrote to memory of 2000	2920	omsecor.exe	32
PID 2000 wrote to memory of 1808	2000	omsecor.exe	35
PID 2000 wrote to memory of 1808	2000	omsecor.exe	35
PID 2000 wrote to memory of 1808	2000	omsecor.exe	35
PID 2000 wrote to memory of 1808	2000	omsecor.exe	35
PID 1808 wrote to memory of 1192	1808	omsecor.exe	36
PID 1808 wrote to memory of 1192	1808	omsecor.exe	36
PID 1808 wrote to memory of 1192	1808	omsecor.exe	36
PID 1808 wrote to memory of 1192	1808	omsecor.exe	36
PID 1808 wrote to memory of 1192	1808	omsecor.exe	36
PID 1808 wrote to memory of 1192	1808	omsecor.exe	36
PID 1192 wrote to memory of 1120	1192	omsecor.exe	37
PID 1192 wrote to memory of 1120	1192	omsecor.exe	37
PID 1192 wrote to memory of 1120	1192	omsecor.exe	37
PID 1192 wrote to memory of 1120	1192	omsecor.exe	37
PID 1120 wrote to memory of 2956	1120	omsecor.exe	38
PID 1120 wrote to memory of 2956	1120	omsecor.exe	38
PID 1120 wrote to memory of 2956	1120	omsecor.exe	38
PID 1120 wrote to memory of 2956	1120	omsecor.exe	38
PID 1120 wrote to memory of 2956	1120	omsecor.exe	38
PID 1120 wrote to memory of 2956	1120	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
"C:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
  C:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3f8bba03c981efd8f5a58855bd9b29df

SHA1
25a428aa709764c7316888d8fa6b71dcf693ad5a

SHA256
d4d60eb1ed15d9f84b6926080379abeeb07027c7ab66c8e86e232c4963adb3ee

SHA512
3b79053e7be7af9ceec97f6affe4f469450c284106ee0c8fd4034eaa5ca2b51a323e4a3542c46f63dbd1d29973243c0c775708027781b6832b52fd9e258250fb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b68e12b881253c73dd7ebf5add9f9ae1

SHA1
25d90681c112e715b65b033fb85831f7d80bf763

SHA256
6f0fa6f57d86e7fc8d81c039193fd075b2fa11a4f21c0eda3a988a9f7c43478b

SHA512
64658419ec4463efb856e78dc240691827ff653fab72ceea1f9a164cc48202388088494887763b8e74de5d724b66f93e259e33f6768493e48da3113e1ca456da

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
418937c384703d47ba12a8188337ad43

SHA1
d73f09c727e2808cfc60b58b059d0b6958fef759

SHA256
7ae33e8ee9dc4dd8942f30e518ca7a09e60fcc5169a8a9f56f9674a341ad871d

SHA512
3caf8f38fd74df9fbe0ca76701d2d4a7ba6586e3c8a04faab4580df249a38d8dad426392f3b74e7b7936677b5b380d0e6014ae7e851d977c60dcf1567cf116a8

Download Submit
memory/1120-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1120-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1192-70-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/1808-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1944-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1944-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1944-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1944-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1944-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-47-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/2000-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2920-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2920-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2956-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download