neconyd | 27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75

Analysis

max time kernel
115s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe
Size

96KB
MD5

1c75638f6c6c6644ba830fdbd06cbedc
SHA1

2bd3ae1f289ec8aeb9591fbe4a6a9b2f0460899a
SHA256

27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75
SHA512

f978b7e39863cb51f3c4f53c0a5ad9089695fa8a6d59ccb3511a5c159f9f5e1eb4c4c950c7de797976f16da55a0f57ee3da278664c53fbb698bb151f63239267
SSDEEP

1536:SnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:SGs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
808	omsecor.exe
2456	omsecor.exe
3052	omsecor.exe
2280	omsecor.exe
2004	omsecor.exe
596	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1348	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe
1348	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe
808	omsecor.exe
2456	omsecor.exe
2456	omsecor.exe
2280	omsecor.exe
2280	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 1348	2376	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe	30
PID 808 set thread context of 2456	808	omsecor.exe	32
PID 3052 set thread context of 2280	3052	omsecor.exe	36
PID 2004 set thread context of 596	2004	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1348	2376	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe	30
PID 2376 wrote to memory of 1348	2376	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe	30
PID 2376 wrote to memory of 1348	2376	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe	30
PID 2376 wrote to memory of 1348	2376	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe	30
PID 2376 wrote to memory of 1348	2376	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe	30
PID 2376 wrote to memory of 1348	2376	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe	30
PID 1348 wrote to memory of 808	1348	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe	31
PID 1348 wrote to memory of 808	1348	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe	31
PID 1348 wrote to memory of 808	1348	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe	31
PID 1348 wrote to memory of 808	1348	27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe	31
PID 808 wrote to memory of 2456	808	omsecor.exe	32
PID 808 wrote to memory of 2456	808	omsecor.exe	32
PID 808 wrote to memory of 2456	808	omsecor.exe	32
PID 808 wrote to memory of 2456	808	omsecor.exe	32
PID 808 wrote to memory of 2456	808	omsecor.exe	32
PID 808 wrote to memory of 2456	808	omsecor.exe	32
PID 2456 wrote to memory of 3052	2456	omsecor.exe	35
PID 2456 wrote to memory of 3052	2456	omsecor.exe	35
PID 2456 wrote to memory of 3052	2456	omsecor.exe	35
PID 2456 wrote to memory of 3052	2456	omsecor.exe	35
PID 3052 wrote to memory of 2280	3052	omsecor.exe	36
PID 3052 wrote to memory of 2280	3052	omsecor.exe	36
PID 3052 wrote to memory of 2280	3052	omsecor.exe	36
PID 3052 wrote to memory of 2280	3052	omsecor.exe	36
PID 3052 wrote to memory of 2280	3052	omsecor.exe	36
PID 3052 wrote to memory of 2280	3052	omsecor.exe	36
PID 2280 wrote to memory of 2004	2280	omsecor.exe	37
PID 2280 wrote to memory of 2004	2280	omsecor.exe	37
PID 2280 wrote to memory of 2004	2280	omsecor.exe	37
PID 2280 wrote to memory of 2004	2280	omsecor.exe	37
PID 2004 wrote to memory of 596	2004	omsecor.exe	38
PID 2004 wrote to memory of 596	2004	omsecor.exe	38
PID 2004 wrote to memory of 596	2004	omsecor.exe	38
PID 2004 wrote to memory of 596	2004	omsecor.exe	38
PID 2004 wrote to memory of 596	2004	omsecor.exe	38
PID 2004 wrote to memory of 596	2004	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe
"C:\Users\Admin\AppData\Local\Temp\27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe
  C:\Users\Admin\AppData\Local\Temp\27ae1e500004745b35b8164abe5fad810f82908ab5b44ba92ce0f7bfeaaaec75.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
36fd7aa8ea8794b2b6b81a47f6ed8f5e

SHA1
ce0eeedcfddd361bde59422ae357bfa0fd7695e8

SHA256
642d97c675e5aed6be6474621a97a85141130eb1d93c38fe42e600eb02521fa3

SHA512
69f4110f90e295f0523e4d888aa6cf109b4677fcb00bd1bd2293dd4b7503e6c58a56684218fc8d4d8077b68fc454274efb0126d21017dba02ab1558ce8c1dc74

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
80897a8f02197c47b732a63effe0fd8c

SHA1
92fab1edbf463b1df905f8ce7edf72b8c9829666

SHA256
42d84a401722936355a42f1b820832d775cf4a61a239b8984259a5c76a216292

SHA512
1fde06666d02544b29e69b384cc999dba1adc7c7aace77abbbf1ff194d049a8ceb20b90eab63cd147a6112bcf8edf036ed54a2ccf93377318fe43e6469b4a4f4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
605563a9da2c41b0a5206b3e8df2fce9

SHA1
69f83847a04745e419efef2800c11402389b3371

SHA256
f29085f7e075f2fc4d384789102ea74ed8070a916c48329d19f36f57ec015802

SHA512
b83c1f75228aad2f6ca6710563449701c0f4e22fbaefd23eb47eefa7286c3c3d20098fefc1d799c70cc60f124d65a88f0b6f1cca25f11ed4044fe6655c124d9e

Download Submit
memory/596-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/808-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/808-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1348-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1348-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1348-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1348-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1348-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2004-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2280-71-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2376-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2376-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2456-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-53-0x0000000000380000-0x00000000003A3000-memory.dmp

Filesize
140KB

Download
memory/2456-52-0x0000000000380000-0x00000000003A3000-memory.dmp

Filesize
140KB

Download
memory/2456-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3052-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download