neconyd | bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/01/2025, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe
Size

96KB
MD5

457a82e3e0a146a22e9dbacd802b75e6
SHA1

3198f8c4b0b1fcf8a03f3f90e7e9bc70ddc4b5aa
SHA256

bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e
SHA512

1d89cc96d6edb9d7918b9de9fccaa91a7c8f8ee77d7c58f33f5877406189aede63167c950ab0408651da7619b773742e2945529a061ae08f3d6aa411e6f0912b
SSDEEP

1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:EGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2168	omsecor.exe
2912	omsecor.exe
3004	omsecor.exe
2428	omsecor.exe
1576	omsecor.exe
836	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1796	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe
1796	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe
2168	omsecor.exe
2912	omsecor.exe
2912	omsecor.exe
2428	omsecor.exe
2428	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2652 set thread context of 1796	2652	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe	30
PID 2168 set thread context of 2912	2168	omsecor.exe	32
PID 3004 set thread context of 2428	3004	omsecor.exe	35
PID 1576 set thread context of 836	1576	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1796	2652	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe	30
PID 2652 wrote to memory of 1796	2652	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe	30
PID 2652 wrote to memory of 1796	2652	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe	30
PID 2652 wrote to memory of 1796	2652	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe	30
PID 2652 wrote to memory of 1796	2652	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe	30
PID 2652 wrote to memory of 1796	2652	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe	30
PID 1796 wrote to memory of 2168	1796	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe	31
PID 1796 wrote to memory of 2168	1796	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe	31
PID 1796 wrote to memory of 2168	1796	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe	31
PID 1796 wrote to memory of 2168	1796	bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe	31
PID 2168 wrote to memory of 2912	2168	omsecor.exe	32
PID 2168 wrote to memory of 2912	2168	omsecor.exe	32
PID 2168 wrote to memory of 2912	2168	omsecor.exe	32
PID 2168 wrote to memory of 2912	2168	omsecor.exe	32
PID 2168 wrote to memory of 2912	2168	omsecor.exe	32
PID 2168 wrote to memory of 2912	2168	omsecor.exe	32
PID 2912 wrote to memory of 3004	2912	omsecor.exe	34
PID 2912 wrote to memory of 3004	2912	omsecor.exe	34
PID 2912 wrote to memory of 3004	2912	omsecor.exe	34
PID 2912 wrote to memory of 3004	2912	omsecor.exe	34
PID 3004 wrote to memory of 2428	3004	omsecor.exe	35
PID 3004 wrote to memory of 2428	3004	omsecor.exe	35
PID 3004 wrote to memory of 2428	3004	omsecor.exe	35
PID 3004 wrote to memory of 2428	3004	omsecor.exe	35
PID 3004 wrote to memory of 2428	3004	omsecor.exe	35
PID 3004 wrote to memory of 2428	3004	omsecor.exe	35
PID 2428 wrote to memory of 1576	2428	omsecor.exe	36
PID 2428 wrote to memory of 1576	2428	omsecor.exe	36
PID 2428 wrote to memory of 1576	2428	omsecor.exe	36
PID 2428 wrote to memory of 1576	2428	omsecor.exe	36
PID 1576 wrote to memory of 836	1576	omsecor.exe	37
PID 1576 wrote to memory of 836	1576	omsecor.exe	37
PID 1576 wrote to memory of 836	1576	omsecor.exe	37
PID 1576 wrote to memory of 836	1576	omsecor.exe	37
PID 1576 wrote to memory of 836	1576	omsecor.exe	37
PID 1576 wrote to memory of 836	1576	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe
"C:\Users\Admin\AppData\Local\Temp\bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe
  C:\Users\Admin\AppData\Local\Temp\bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1877fee05d1d7194a2b666097bed2003

SHA1
c1e16075caa495602758216adeee5a4a59d782d8

SHA256
36140d63698d9294fb0f1663a370e0b3b5627ae6357a6f43fb2d914394a48823

SHA512
ecd404c1e3798c86ad7a52ce2d1a9bf9bf688f13655caf7e9832c4083f32e10f0d430785b6b5afbc83060fa370822e75f073d7b19739dbea3f007181395d7d7f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a3b53c494183a6a24b9c0be9e59d4e2f

SHA1
13d0d65c6ea5c2082d4a11026adf872f6d1ba561

SHA256
ae7913f1601c7f2054b7698cc8ad63caf922a6702f504ffc4e72c46601e19ffc

SHA512
9c9ddedd1898d8d999b12a2e4541e3ae8d109973b44c471bd67aa2b1a8961f564dea6a2b43bf4844e53357f9bbf3dd7f89fb9ebc64da1301dcfde0384ca5afa8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b9f8811e8ddf167196c1b3b1aeb6fdcf

SHA1
19291d42037f601b5c880a6d7d7102f85e44adf2

SHA256
80d44b014837d5e71be18caeed5d8188cd14534926f7c9e8386950126394352b

SHA512
7da3785a7eb337541388531ca49d44888511db182b7458b1e5c8727ebc54fc2ac387ecc1719d6746c0c9ecea390f5a79241fb483429a7d2aead2b1146c69bf00

Download Submit
memory/836-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1576-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1796-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1796-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1796-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1796-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1796-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2168-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2168-29-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2428-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2652-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2652-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2912-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-54-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2912-48-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2912-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3004-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3004-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download