neconyd | 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38

Analysis

max time kernel
112s
max time network
105s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe
Size

96KB
MD5

d1c25d28aa9af072868f45ef116b3740
SHA1

ea8f590868b6dfdadae4ddf8e37b0f3973b1ecd6
SHA256

7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38
SHA512

2ca62e04345a1ae85b50db9875493e2b0750dae5514cb2469f9160b052c21800c60e457342a6e330ffd41d97e2fde3f6732bda90a21c1f362a0164f4241e7358
SSDEEP

1536:rnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:rGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2344	omsecor.exe
2204	omsecor.exe
1672	omsecor.exe
756	omsecor.exe
2856	omsecor.exe
2408	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2096	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe
2096	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe
2344	omsecor.exe
2204	omsecor.exe
2204	omsecor.exe
756	omsecor.exe
756	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 2096	2296	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe	31
PID 2344 set thread context of 2204	2344	omsecor.exe	33
PID 1672 set thread context of 756	1672	omsecor.exe	36
PID 2856 set thread context of 2408	2856	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2096	2296	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe	31
PID 2296 wrote to memory of 2096	2296	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe	31
PID 2296 wrote to memory of 2096	2296	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe	31
PID 2296 wrote to memory of 2096	2296	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe	31
PID 2296 wrote to memory of 2096	2296	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe	31
PID 2296 wrote to memory of 2096	2296	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe	31
PID 2096 wrote to memory of 2344	2096	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe	32
PID 2096 wrote to memory of 2344	2096	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe	32
PID 2096 wrote to memory of 2344	2096	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe	32
PID 2096 wrote to memory of 2344	2096	7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe	32
PID 2344 wrote to memory of 2204	2344	omsecor.exe	33
PID 2344 wrote to memory of 2204	2344	omsecor.exe	33
PID 2344 wrote to memory of 2204	2344	omsecor.exe	33
PID 2344 wrote to memory of 2204	2344	omsecor.exe	33
PID 2344 wrote to memory of 2204	2344	omsecor.exe	33
PID 2344 wrote to memory of 2204	2344	omsecor.exe	33
PID 2204 wrote to memory of 1672	2204	omsecor.exe	35
PID 2204 wrote to memory of 1672	2204	omsecor.exe	35
PID 2204 wrote to memory of 1672	2204	omsecor.exe	35
PID 2204 wrote to memory of 1672	2204	omsecor.exe	35
PID 1672 wrote to memory of 756	1672	omsecor.exe	36
PID 1672 wrote to memory of 756	1672	omsecor.exe	36
PID 1672 wrote to memory of 756	1672	omsecor.exe	36
PID 1672 wrote to memory of 756	1672	omsecor.exe	36
PID 1672 wrote to memory of 756	1672	omsecor.exe	36
PID 1672 wrote to memory of 756	1672	omsecor.exe	36
PID 756 wrote to memory of 2856	756	omsecor.exe	37
PID 756 wrote to memory of 2856	756	omsecor.exe	37
PID 756 wrote to memory of 2856	756	omsecor.exe	37
PID 756 wrote to memory of 2856	756	omsecor.exe	37
PID 2856 wrote to memory of 2408	2856	omsecor.exe	38
PID 2856 wrote to memory of 2408	2856	omsecor.exe	38
PID 2856 wrote to memory of 2408	2856	omsecor.exe	38
PID 2856 wrote to memory of 2408	2856	omsecor.exe	38
PID 2856 wrote to memory of 2408	2856	omsecor.exe	38
PID 2856 wrote to memory of 2408	2856	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe
"C:\Users\Admin\AppData\Local\Temp\7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe
  C:\Users\Admin\AppData\Local\Temp\7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
194cdea28d4d0786e88cd47cb76216c0

SHA1
e95511031fadde5d9294e9efd75c70f2bc304ece

SHA256
2fdb24c71ea6cb9c44022d9f33b2e548517c6abb42240d6adf6063690065854e

SHA512
de3dfa34e49899892be2f8fe62d158fcdcc62822d4b84a202c75aeddfdee6e35c406f1a9925a70616c76077b6aaa5b91e6076230b4d762d0edf2a3a660922304

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1ff6230bd3d3eeaf85a5bb5b2e7f401e

SHA1
6cbe81625d097d110bba3a85e9f89b2f5a7d7ea6

SHA256
3e8014240122dfd4bc0025e6366a15c07b55a8112d330ba6353099d444baf104

SHA512
85b8f31af28b14c22664df85a3db8077256922f5e33588ba7761b528028562c9413861e90d44560bb7b32c65ccb285a5a6499abc82ebedcad47ddedebab0d6f9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
41f0d1afc0bd6da47092ff470dbdb3e8

SHA1
2c38e5758b6ff902ba6f8a52f9479321e48674fb

SHA256
54e560189a2ef01a1e9136ae64518badb879333239d8f3c4d85164b834ddde88

SHA512
4f20a3bd269a4eda16f4c2988e59c6852ade677e9b90a0b9ec55af3a79858d47544452420daaeb63f08ae5d720cf2492fc514dadfc1fa4fb9bd4ddc79c4a448c

Download Submit
memory/756-93-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/756-80-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/756-81-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1672-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2096-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2096-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2204-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2204-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2204-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2204-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2204-49-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2204-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2204-56-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2296-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2296-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2344-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2344-26-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2344-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-83-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2856-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download