neconyd | cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe
Size

96KB
MD5

855d8b68a2b217f91ad08aa09042fb66
SHA1

41a47e4d760a72d82cd8796b905d6a51a19473f4
SHA256

cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc
SHA512

769515bab20beb3b98b11bc054caad6094570ee5607ac80e648d713f9a2a15b59830f298e84abf2ee4cfd605cfcc21665af4137eabb8e8945bbfb159b7c89452
SSDEEP

1536:KnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:KGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2840	omsecor.exe
2828	omsecor.exe
1204	omsecor.exe
1560	omsecor.exe
2248	omsecor.exe
3056	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2892	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe
2892	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe
2840	omsecor.exe
2828	omsecor.exe
2828	omsecor.exe
1560	omsecor.exe
1560	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 2892	2860	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe	30
PID 2840 set thread context of 2828	2840	omsecor.exe	32
PID 1204 set thread context of 1560	1204	omsecor.exe	36
PID 2248 set thread context of 3056	2248	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2892	2860	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe	30
PID 2860 wrote to memory of 2892	2860	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe	30
PID 2860 wrote to memory of 2892	2860	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe	30
PID 2860 wrote to memory of 2892	2860	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe	30
PID 2860 wrote to memory of 2892	2860	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe	30
PID 2860 wrote to memory of 2892	2860	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe	30
PID 2892 wrote to memory of 2840	2892	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe	31
PID 2892 wrote to memory of 2840	2892	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe	31
PID 2892 wrote to memory of 2840	2892	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe	31
PID 2892 wrote to memory of 2840	2892	cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe	31
PID 2840 wrote to memory of 2828	2840	omsecor.exe	32
PID 2840 wrote to memory of 2828	2840	omsecor.exe	32
PID 2840 wrote to memory of 2828	2840	omsecor.exe	32
PID 2840 wrote to memory of 2828	2840	omsecor.exe	32
PID 2840 wrote to memory of 2828	2840	omsecor.exe	32
PID 2840 wrote to memory of 2828	2840	omsecor.exe	32
PID 2828 wrote to memory of 1204	2828	omsecor.exe	35
PID 2828 wrote to memory of 1204	2828	omsecor.exe	35
PID 2828 wrote to memory of 1204	2828	omsecor.exe	35
PID 2828 wrote to memory of 1204	2828	omsecor.exe	35
PID 1204 wrote to memory of 1560	1204	omsecor.exe	36
PID 1204 wrote to memory of 1560	1204	omsecor.exe	36
PID 1204 wrote to memory of 1560	1204	omsecor.exe	36
PID 1204 wrote to memory of 1560	1204	omsecor.exe	36
PID 1204 wrote to memory of 1560	1204	omsecor.exe	36
PID 1204 wrote to memory of 1560	1204	omsecor.exe	36
PID 1560 wrote to memory of 2248	1560	omsecor.exe	37
PID 1560 wrote to memory of 2248	1560	omsecor.exe	37
PID 1560 wrote to memory of 2248	1560	omsecor.exe	37
PID 1560 wrote to memory of 2248	1560	omsecor.exe	37
PID 2248 wrote to memory of 3056	2248	omsecor.exe	38
PID 2248 wrote to memory of 3056	2248	omsecor.exe	38
PID 2248 wrote to memory of 3056	2248	omsecor.exe	38
PID 2248 wrote to memory of 3056	2248	omsecor.exe	38
PID 2248 wrote to memory of 3056	2248	omsecor.exe	38
PID 2248 wrote to memory of 3056	2248	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe
"C:\Users\Admin\AppData\Local\Temp\cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe
  C:\Users\Admin\AppData\Local\Temp\cdb901c7462da55aa2bde2ecc1b2f416c9b99a8702957e52d197fd9fcd22f3dc.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1204
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ce9032a4205c7b4840ff76b57d05246f

SHA1
5c315a171255093e3522f6f7ade94f32353cc6a9

SHA256
d9e10a41eeffb526ad276a1a65e4f1f5deffda51ced91757a348f4f936ae4206

SHA512
b9f1f5b41ede2c93d823bfa1795a91c762f9069c817fe1ca6a85765b839f0a7d567a8d1a68ca6783059d197d40b2fd5c46048066bcc7499af69a643aac8e33ce

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
72d9499cb259905748fbe74c5b095ea3

SHA1
6dc5d0347bc39ee88c66ef677f112773d0649d92

SHA256
5688fba5fd2622feaa96ba1ae64d8080f4aa5a3a9c6ed413e7e4088b8db758c3

SHA512
58d42846f599f120e2f080604c778104c4c98c5adfc73c8e0469bce8307d09142320668eb3c4d7477be260dc99155a6e747c401ab61b2aaa989a6eed32445eb8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2defe418a737400dfc3908cdbae7798f

SHA1
243013f4a4859cf5879b150546200a25168c9636

SHA256
6d52d30792176be795d98b964708eab7fdac305327a5eaec2c8aa556a872cd4e

SHA512
e4bbb7e474894a82ef57d408a0ada1a662e0d683d299c9c7d5debc45655247f763948fdabb888467d65b751c9f4eb8ff3e6a0a22107f7a5396e58c6cdbbd4981

Download Submit
memory/1204-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1560-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2248-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2248-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2828-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-47-0x00000000020D0000-0x00000000020F3000-memory.dmp

Filesize
140KB

Download
memory/2828-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2860-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2860-1-0x0000000001C80000-0x0000000001CA3000-memory.dmp

Filesize
140KB

Download
memory/2860-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2892-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2892-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download