neconyd | b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
Size

134KB
MD5

98bc18d83207c88983f907562764918b
SHA1

ca02fb1d6c55cca9ec9353ab2a6c377109c1cd55
SHA256

b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42
SHA512

b6062b0ad9216c9a4a0763e8d5594b3f81f97da9343769c43d006e347803be595bdec05127b1e1a4a8dd162ce86c193a5bb2ba5ebefa90f616a1b38ecc0ab85e
SSDEEP

1536:HDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:jiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2644	omsecor.exe
2652	omsecor.exe
2340	omsecor.exe
1700	omsecor.exe
2732	omsecor.exe
852	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2132	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
2132	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
2644	omsecor.exe
2652	omsecor.exe
2652	omsecor.exe
1700	omsecor.exe
1700	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2132	3044	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	28
PID 2644 set thread context of 2652	2644	omsecor.exe	30
PID 2340 set thread context of 1700	2340	omsecor.exe	35
PID 2732 set thread context of 852	2732	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2132	3044	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	28
PID 3044 wrote to memory of 2132	3044	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	28
PID 3044 wrote to memory of 2132	3044	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	28
PID 3044 wrote to memory of 2132	3044	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	28
PID 3044 wrote to memory of 2132	3044	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	28
PID 3044 wrote to memory of 2132	3044	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	28
PID 2132 wrote to memory of 2644	2132	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	29
PID 2132 wrote to memory of 2644	2132	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	29
PID 2132 wrote to memory of 2644	2132	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	29
PID 2132 wrote to memory of 2644	2132	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	29
PID 2644 wrote to memory of 2652	2644	omsecor.exe	30
PID 2644 wrote to memory of 2652	2644	omsecor.exe	30
PID 2644 wrote to memory of 2652	2644	omsecor.exe	30
PID 2644 wrote to memory of 2652	2644	omsecor.exe	30
PID 2644 wrote to memory of 2652	2644	omsecor.exe	30
PID 2644 wrote to memory of 2652	2644	omsecor.exe	30
PID 2652 wrote to memory of 2340	2652	omsecor.exe	34
PID 2652 wrote to memory of 2340	2652	omsecor.exe	34
PID 2652 wrote to memory of 2340	2652	omsecor.exe	34
PID 2652 wrote to memory of 2340	2652	omsecor.exe	34
PID 2340 wrote to memory of 1700	2340	omsecor.exe	35
PID 2340 wrote to memory of 1700	2340	omsecor.exe	35
PID 2340 wrote to memory of 1700	2340	omsecor.exe	35
PID 2340 wrote to memory of 1700	2340	omsecor.exe	35
PID 2340 wrote to memory of 1700	2340	omsecor.exe	35
PID 2340 wrote to memory of 1700	2340	omsecor.exe	35
PID 1700 wrote to memory of 2732	1700	omsecor.exe	36
PID 1700 wrote to memory of 2732	1700	omsecor.exe	36
PID 1700 wrote to memory of 2732	1700	omsecor.exe	36
PID 1700 wrote to memory of 2732	1700	omsecor.exe	36
PID 2732 wrote to memory of 852	2732	omsecor.exe	37
PID 2732 wrote to memory of 852	2732	omsecor.exe	37
PID 2732 wrote to memory of 852	2732	omsecor.exe	37
PID 2732 wrote to memory of 852	2732	omsecor.exe	37
PID 2732 wrote to memory of 852	2732	omsecor.exe	37
PID 2732 wrote to memory of 852	2732	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
"C:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
  C:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
38558e5f21c3321c91e3f8257952429b

SHA1
ed0679de9dc7567f19e87982e68165086a4bed5c

SHA256
ba72918598727e6415bbd398684717d2bdb8ecd84e46ee7896f9927785a4e86d

SHA512
56aa885c0754a2ca12c4a0c3b3997960af0b18418df59b4fb1729991a5026d2b98d727b1c07ee33df9f32fdc6a05e1785499868760333a8daf32ed4f18a9adf0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
263b8263f985bc8de99cb378893360ce

SHA1
2fcd8f9d37ba6149a2fe60425f322825ae302291

SHA256
c11f28b8d8a5c5275591f1aeb0dc84f85dfa097a9d968fcbfde2728d2564ca90

SHA512
b4a136f03e30e0fd8846683fce25cd4a19f9d519a7aa092f304fbced663e3e26f4313bc7cd34b6c9a284edc573f16d31ca12cb0a0ad69ba22f2456db676cdd9d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
57a3e26be69c9fd19647a9f1ab793c21

SHA1
3fa41d76518b0c9f16b42eabe6e09b91ef101669

SHA256
295095823effae88ba2d379830cd3db228aad5416ac41d13c570c5d1d3b108d9

SHA512
07b0437f880ea57809c9be5cc6afa6e767bb6d0ffe99950ff3748b880035f0d6a3214fb33beef7e7b46fcb368f28abdabcc020e2feac78ff14af18486744834d

Download Submit
memory/852-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/852-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1700-67-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/1700-75-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/2132-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2132-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2340-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2652-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-45-0x0000000000310000-0x0000000000334000-memory.dmp

Filesize
144KB

Download
memory/2652-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2732-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2732-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3044-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3044-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download