neconyd | 928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
Size

96KB
MD5

a7dad23f9097171380f21aa842e154fe
SHA1

4a1a0d72bde7e5b941692eedc6098be1742e21f2
SHA256

928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b
SHA512

8793115a37509c12a361f0d0c1a361db7574d5df63d1f085d2ba9430f4b3ed70ad1a9f77fb26cb7ea96be8bdb8bfef2529c4d1dab3b47a1d0fdd22076fbfd7cf
SSDEEP

1536:DnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:DGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2708	omsecor.exe
2752	omsecor.exe
1952	omsecor.exe
2280	omsecor.exe
1420	omsecor.exe
1004	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2788	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
2788	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
2708	omsecor.exe
2752	omsecor.exe
2752	omsecor.exe
2280	omsecor.exe
2280	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2704 set thread context of 2788	2704	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	30
PID 2708 set thread context of 2752	2708	omsecor.exe	32
PID 1952 set thread context of 2280	1952	omsecor.exe	35
PID 1420 set thread context of 1004	1420	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2788	2704	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	30
PID 2704 wrote to memory of 2788	2704	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	30
PID 2704 wrote to memory of 2788	2704	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	30
PID 2704 wrote to memory of 2788	2704	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	30
PID 2704 wrote to memory of 2788	2704	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	30
PID 2704 wrote to memory of 2788	2704	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	30
PID 2788 wrote to memory of 2708	2788	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	31
PID 2788 wrote to memory of 2708	2788	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	31
PID 2788 wrote to memory of 2708	2788	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	31
PID 2788 wrote to memory of 2708	2788	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	31
PID 2708 wrote to memory of 2752	2708	omsecor.exe	32
PID 2708 wrote to memory of 2752	2708	omsecor.exe	32
PID 2708 wrote to memory of 2752	2708	omsecor.exe	32
PID 2708 wrote to memory of 2752	2708	omsecor.exe	32
PID 2708 wrote to memory of 2752	2708	omsecor.exe	32
PID 2708 wrote to memory of 2752	2708	omsecor.exe	32
PID 2752 wrote to memory of 1952	2752	omsecor.exe	34
PID 2752 wrote to memory of 1952	2752	omsecor.exe	34
PID 2752 wrote to memory of 1952	2752	omsecor.exe	34
PID 2752 wrote to memory of 1952	2752	omsecor.exe	34
PID 1952 wrote to memory of 2280	1952	omsecor.exe	35
PID 1952 wrote to memory of 2280	1952	omsecor.exe	35
PID 1952 wrote to memory of 2280	1952	omsecor.exe	35
PID 1952 wrote to memory of 2280	1952	omsecor.exe	35
PID 1952 wrote to memory of 2280	1952	omsecor.exe	35
PID 1952 wrote to memory of 2280	1952	omsecor.exe	35
PID 2280 wrote to memory of 1420	2280	omsecor.exe	36
PID 2280 wrote to memory of 1420	2280	omsecor.exe	36
PID 2280 wrote to memory of 1420	2280	omsecor.exe	36
PID 2280 wrote to memory of 1420	2280	omsecor.exe	36
PID 1420 wrote to memory of 1004	1420	omsecor.exe	37
PID 1420 wrote to memory of 1004	1420	omsecor.exe	37
PID 1420 wrote to memory of 1004	1420	omsecor.exe	37
PID 1420 wrote to memory of 1004	1420	omsecor.exe	37
PID 1420 wrote to memory of 1004	1420	omsecor.exe	37
PID 1420 wrote to memory of 1004	1420	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
"C:\Users\Admin\AppData\Local\Temp\928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
  C:\Users\Admin\AppData\Local\Temp\928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8c2e0b579969885d5094358785561332

SHA1
ad7c938c8e92b1c4eda974d5cc0cdf0e2edc98b3

SHA256
e81165ae0641f8d1b8066aeb24e418443e0da6069fd3608a7a42fed4497e11ad

SHA512
0ed9ee41eeb5851bc748838dbaf7b7e9eb5256831b63dc7a353ab46feea77afb9fefb4cd730be95853aeec161a34d089d5921aa32d1815b2341428e4be047808

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
aebff0b501d39d73b1127fcbdc80cf19

SHA1
de25c804699ccf944ba2060c1d3b00d816e5dd60

SHA256
5b714f9d89b4544bb2cff1a08d700543c6473df37a0981ddf759043e18e15489

SHA512
c14f4d5402d987c2c909fa2fbf24b3eacb5ddb13de142d8f5995e9c6d993a1265645febb166c790422d50478f370ea0b1a8a76b1fb152d23a3654d468f1cc317

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
af625165cf89193bc7bf74d74c265d74

SHA1
3a3c1d0c224c9159ea06aa4fd6bd3ff7df35ba85

SHA256
8b6b56f928f21fc1e1f6510348f87981791bbfa463b3eba87429b4f2ee5e3661

SHA512
87ad8e49394203602173137ec33bd53f699f4bb167b4128a50c7b9df99a135a1211e970d95dd84113b36088d67e9bb16c53f5c3351db37ad1efefd960aaa0e29

Download Submit
memory/1004-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1420-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1952-55-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1952-63-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2280-70-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2280-74-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2704-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2704-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2708-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2708-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2752-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2788-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2788-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2788-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2788-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download