neconyd | 6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe
Size

96KB
MD5

df306060b85493b71c7a9c79eef00619
SHA1

1d273403f55aba0a9d851a0952d18553022f550c
SHA256

6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553
SHA512

98e8c95a1bde23f4ad831ac696e9a6d394355d30ed550403f69c6cad04620b33df2a27433d5aa1b92079550720e08ed2b8064d849ab61299e687125853a99d17
SSDEEP

1536:RnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:RGs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2976	omsecor.exe
2800	omsecor.exe
1476	omsecor.exe
2944	omsecor.exe
1640	omsecor.exe
1408	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2008	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe
2008	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe
2976	omsecor.exe
2800	omsecor.exe
2800	omsecor.exe
2944	omsecor.exe
2944	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 108 set thread context of 2008	108	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe	29
PID 2976 set thread context of 2800	2976	omsecor.exe	31
PID 1476 set thread context of 2944	1476	omsecor.exe	34
PID 1640 set thread context of 1408	1640	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2008	108	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe	29
PID 108 wrote to memory of 2008	108	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe	29
PID 108 wrote to memory of 2008	108	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe	29
PID 108 wrote to memory of 2008	108	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe	29
PID 108 wrote to memory of 2008	108	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe	29
PID 108 wrote to memory of 2008	108	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe	29
PID 2008 wrote to memory of 2976	2008	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe	30
PID 2008 wrote to memory of 2976	2008	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe	30
PID 2008 wrote to memory of 2976	2008	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe	30
PID 2008 wrote to memory of 2976	2008	6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe	30
PID 2976 wrote to memory of 2800	2976	omsecor.exe	31
PID 2976 wrote to memory of 2800	2976	omsecor.exe	31
PID 2976 wrote to memory of 2800	2976	omsecor.exe	31
PID 2976 wrote to memory of 2800	2976	omsecor.exe	31
PID 2976 wrote to memory of 2800	2976	omsecor.exe	31
PID 2976 wrote to memory of 2800	2976	omsecor.exe	31
PID 2800 wrote to memory of 1476	2800	omsecor.exe	33
PID 2800 wrote to memory of 1476	2800	omsecor.exe	33
PID 2800 wrote to memory of 1476	2800	omsecor.exe	33
PID 2800 wrote to memory of 1476	2800	omsecor.exe	33
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 2944 wrote to memory of 1640	2944	omsecor.exe	35
PID 2944 wrote to memory of 1640	2944	omsecor.exe	35
PID 2944 wrote to memory of 1640	2944	omsecor.exe	35
PID 2944 wrote to memory of 1640	2944	omsecor.exe	35
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe
"C:\Users\Admin\AppData\Local\Temp\6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe
  C:\Users\Admin\AppData\Local\Temp\6bd01e0e132d8636a63b62930e8934b2388ce9bd9eab5799d979604d79d19553.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1476
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7e3c477d0c26934e62ac496f1a552ccd

SHA1
a9ec0d7eac5b887a026f4f43423ba36a769bf450

SHA256
cb81276fc27fce16497d0e212153e2dfd4380f115413991212ac44589e92ba94

SHA512
5fc33534b58518686048a947b8e1b71a8c5efbcffcb15c67467d6cb02c90178c07f414ef3ef5e47dbcced1bd6481ddbdd8e2cd377170d083ed7cd5b92645e124

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d65fee4ebd0513e81ecbf7caee76953f

SHA1
23d62d2ce3679ff4ae172a90e79002197797919b

SHA256
137eeb745b91879b7676761d3a77cf7c210f4c2da4318934d13a7f35eb9abeaf

SHA512
36ac68f13d411210410d27a7a023466b822e148c7e6cb3612277344c3bc4ec61e2a7900c0d7ec8fa196678b589fcd0f5208722aa4c4b4429f0d45dc70cb47adc

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
8ff929ad977e528732cf52a9ccac0fe6

SHA1
567dc6aed1f644a1effe00cbd2b0eb9b3295716e

SHA256
e6074f0f1f6911b349383e0123d824820683dbeafc93c1980b6342bedc168a7e

SHA512
2f648c2ac838bce4e2a74917c40352e3162e9787a5ecfc20d13e7c786cafc1f69913a0581250bf8bd7b923244cb6f70b0ffd07c1e58540f92995ef1f41479a7b

Download Submit
memory/108-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/108-7-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/108-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1408-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1408-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1476-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1640-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1640-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2008-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2008-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2008-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2008-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-48-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/2800-58-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/2800-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2944-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2976-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2976-34-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2976-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download