neconyd | e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
Size

96KB
MD5

5926bd31f01b5ab1dff5b50fb17fd258
SHA1

a7a226bdb5002d78cfaeb3abe81a5a184276d420
SHA256

e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b
SHA512

dedaaf27db851e090759482f379262bed17a8515e90b2c241058483d5b0077ed4a278a61b90728227dbeba5e2c0a1a51104205ce9a008dca84e82e9708f06d8b
SSDEEP

1536:DnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:DGs8cd8eXlYairZYqMddH13p

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1984	omsecor.exe
2924	omsecor.exe
3040	omsecor.exe
2976	omsecor.exe
1360	omsecor.exe
536	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1784	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
1784	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
1984	omsecor.exe
2924	omsecor.exe
2924	omsecor.exe
2976	omsecor.exe
2976	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1904 set thread context of 1784	1904	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	30
PID 1984 set thread context of 2924	1984	omsecor.exe	32
PID 3040 set thread context of 2976	3040	omsecor.exe	36
PID 1360 set thread context of 536	1360	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1784	1904	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	30
PID 1904 wrote to memory of 1784	1904	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	30
PID 1904 wrote to memory of 1784	1904	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	30
PID 1904 wrote to memory of 1784	1904	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	30
PID 1904 wrote to memory of 1784	1904	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	30
PID 1904 wrote to memory of 1784	1904	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	30
PID 1784 wrote to memory of 1984	1784	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	31
PID 1784 wrote to memory of 1984	1784	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	31
PID 1784 wrote to memory of 1984	1784	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	31
PID 1784 wrote to memory of 1984	1784	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	31
PID 1984 wrote to memory of 2924	1984	omsecor.exe	32
PID 1984 wrote to memory of 2924	1984	omsecor.exe	32
PID 1984 wrote to memory of 2924	1984	omsecor.exe	32
PID 1984 wrote to memory of 2924	1984	omsecor.exe	32
PID 1984 wrote to memory of 2924	1984	omsecor.exe	32
PID 1984 wrote to memory of 2924	1984	omsecor.exe	32
PID 2924 wrote to memory of 3040	2924	omsecor.exe	35
PID 2924 wrote to memory of 3040	2924	omsecor.exe	35
PID 2924 wrote to memory of 3040	2924	omsecor.exe	35
PID 2924 wrote to memory of 3040	2924	omsecor.exe	35
PID 3040 wrote to memory of 2976	3040	omsecor.exe	36
PID 3040 wrote to memory of 2976	3040	omsecor.exe	36
PID 3040 wrote to memory of 2976	3040	omsecor.exe	36
PID 3040 wrote to memory of 2976	3040	omsecor.exe	36
PID 3040 wrote to memory of 2976	3040	omsecor.exe	36
PID 3040 wrote to memory of 2976	3040	omsecor.exe	36
PID 2976 wrote to memory of 1360	2976	omsecor.exe	37
PID 2976 wrote to memory of 1360	2976	omsecor.exe	37
PID 2976 wrote to memory of 1360	2976	omsecor.exe	37
PID 2976 wrote to memory of 1360	2976	omsecor.exe	37
PID 1360 wrote to memory of 536	1360	omsecor.exe	38
PID 1360 wrote to memory of 536	1360	omsecor.exe	38
PID 1360 wrote to memory of 536	1360	omsecor.exe	38
PID 1360 wrote to memory of 536	1360	omsecor.exe	38
PID 1360 wrote to memory of 536	1360	omsecor.exe	38
PID 1360 wrote to memory of 536	1360	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
"C:\Users\Admin\AppData\Local\Temp\e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
  C:\Users\Admin\AppData\Local\Temp\e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8ac1f6e8b0d90e2ebbb56b8c998ba03b

SHA1
8c7aeb37fb3c6a1434c90589adbd7da342d6b92b

SHA256
59c051aa2cbf1103008dcdbcc24ddeb5bc1b4a4e1954f6120d7ad03ef8f25254

SHA512
5f48162ddf776200e3f815c83416a044851a9a134eaebca7b900a50134326774c492d58d7c14c617bffff3049b9351d54082672a60f445ea3b7fae65a2029b1a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9c0e287d8fa2e060f1eafe7dfb57331a

SHA1
8fc16aaf67104ebcf9008ff62027087716893c93

SHA256
dc1cf3d7cef647e5d7327a8f67f4b914c0f34115136ab8ef6e6148322d9997e3

SHA512
975e5dfd38a0924737c8bcb0e3ff6d08cfc7438726860222a0b0d790667a387acf4b06156d5ff8a7465a8512a10c942a49647baf2520a809c8a4ada9bcf553cc

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
487a6fc02406a0ce12882679b4a35827

SHA1
4f4f58db81a0fad32808b74d87f923f20201c613

SHA256
0fafd9a5521cc609c3cf7730532997a94043ef44f302d9c5dfa29916b6929e0e

SHA512
6a03cbb3baab7b365a6709e9b49a0bfc6b7b84e5ab181cb67fedf4a63b5373650741fb7fc507361ab7cd1371a72cbbe91ad59aae0de1f884b8059f3f51a431ef

Download Submit
memory/536-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1360-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1360-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1784-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1784-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1904-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1904-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1984-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1984-24-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/1984-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2924-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-47-0x0000000001FD0000-0x0000000001FF3000-memory.dmp

Filesize
140KB

Download
memory/2924-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-70-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/3040-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download