neconyd | 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe
Size

96KB
MD5

b3713e03f5213be6bdd7366e5961730c
SHA1

9e4087a0ba8e77c162201bd559b400ad520ef3ed
SHA256

18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842
SHA512

15faab5cd6251d5dcb0454fd5251643c9d71f6e3b472e0db318da7b11229d13cb8cdf620d8fb2851bc62fc0db5fe018f3574a0cc0fc15fd7ef0884f96eeda109
SSDEEP

1536:rnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:rGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1552	omsecor.exe
2696	omsecor.exe
1624	omsecor.exe
1640	omsecor.exe
752	omsecor.exe
2836	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2524	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe
2524	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe
1552	omsecor.exe
2696	omsecor.exe
2696	omsecor.exe
1640	omsecor.exe
1640	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 2524	2408	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe	31
PID 1552 set thread context of 2696	1552	omsecor.exe	33
PID 1624 set thread context of 1640	1624	omsecor.exe	36
PID 752 set thread context of 2836	752	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2524	2408	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe	31
PID 2408 wrote to memory of 2524	2408	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe	31
PID 2408 wrote to memory of 2524	2408	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe	31
PID 2408 wrote to memory of 2524	2408	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe	31
PID 2408 wrote to memory of 2524	2408	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe	31
PID 2408 wrote to memory of 2524	2408	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe	31
PID 2524 wrote to memory of 1552	2524	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe	32
PID 2524 wrote to memory of 1552	2524	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe	32
PID 2524 wrote to memory of 1552	2524	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe	32
PID 2524 wrote to memory of 1552	2524	18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe	32
PID 1552 wrote to memory of 2696	1552	omsecor.exe	33
PID 1552 wrote to memory of 2696	1552	omsecor.exe	33
PID 1552 wrote to memory of 2696	1552	omsecor.exe	33
PID 1552 wrote to memory of 2696	1552	omsecor.exe	33
PID 1552 wrote to memory of 2696	1552	omsecor.exe	33
PID 1552 wrote to memory of 2696	1552	omsecor.exe	33
PID 2696 wrote to memory of 1624	2696	omsecor.exe	35
PID 2696 wrote to memory of 1624	2696	omsecor.exe	35
PID 2696 wrote to memory of 1624	2696	omsecor.exe	35
PID 2696 wrote to memory of 1624	2696	omsecor.exe	35
PID 1624 wrote to memory of 1640	1624	omsecor.exe	36
PID 1624 wrote to memory of 1640	1624	omsecor.exe	36
PID 1624 wrote to memory of 1640	1624	omsecor.exe	36
PID 1624 wrote to memory of 1640	1624	omsecor.exe	36
PID 1624 wrote to memory of 1640	1624	omsecor.exe	36
PID 1624 wrote to memory of 1640	1624	omsecor.exe	36
PID 1640 wrote to memory of 752	1640	omsecor.exe	37
PID 1640 wrote to memory of 752	1640	omsecor.exe	37
PID 1640 wrote to memory of 752	1640	omsecor.exe	37
PID 1640 wrote to memory of 752	1640	omsecor.exe	37
PID 752 wrote to memory of 2836	752	omsecor.exe	38
PID 752 wrote to memory of 2836	752	omsecor.exe	38
PID 752 wrote to memory of 2836	752	omsecor.exe	38
PID 752 wrote to memory of 2836	752	omsecor.exe	38
PID 752 wrote to memory of 2836	752	omsecor.exe	38
PID 752 wrote to memory of 2836	752	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe
"C:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe
  C:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3dc705843b8a411cf70ae4498fccdb74

SHA1
49d7acf95bc90b22e07a464ba1fbb5e9289b6ffc

SHA256
a12d69cc9ada4ce3b4deb3ea21ffbae3e1abd1955ebe48a6aa1237cc2342a485

SHA512
eca1bd9743e51252d2087bd9bdb7380806a3f4552f072d6d978fceff164b20ef3c882d0b45f91ac45ad2395d62c13424ea0e54d278eae2ceabaaa5d41bb2b253

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2cda027cb917ff97e4706eea26d3db60

SHA1
39841e4995d3aca97cb81fd86d904a274125ca5a

SHA256
d8d63e47591f6eeef0b289b833cd3dcf337cb998b5980499941fbe4869857e88

SHA512
bdcc5cba1972ab9357ca0ee9a2b14a5e03a08a159f97bb70b5a7087d621876200616684291ce6effcc2b8e2807ff392c6f3b542db88ed7581530df423d06e92b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0a51e4a2b1fb58e4eb4f61619e3cd9f9

SHA1
3cfff192f3e8dfef5e3f058c14a5f73201ae2684

SHA256
c942cd4847f5198b6c6db9ee3a0e6e6935ee292f27956f875b11db9eb2ad194d

SHA512
c5e863ef30233a51b258cb06f4a92f6d9ca80d5278a8673001dda8dfdae401514073b30a1221623491a605f3c5499d2d6dd5e2f9dfd5b397f671164f3fa27846

Download Submit
memory/752-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/752-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1552-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1552-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1552-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1624-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1624-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1640-70-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2408-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2524-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2524-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download