neconyd | 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/01/2025, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
Size

96KB
MD5

95a659337ba9854552afc655c14415c0
SHA1

d1698c372887ff93d1bdb37cdb9437b86559e961
SHA256

61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0
SHA512

ef08e6157d7e84571f7accafa96b64fc8e144b72bac4a4c968be875a555470ff74347510b723bf9279b3b7f2867189f3ddddccd5ec500f34ebbe086fe5b9f999
SSDEEP

1536:fnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:fGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2716	omsecor.exe
2516	omsecor.exe
772	omsecor.exe
1452	omsecor.exe
1392	omsecor.exe
2196	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3064	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
3064	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
2716	omsecor.exe
2516	omsecor.exe
2516	omsecor.exe
1452	omsecor.exe
1452	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 3064	3040	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	30
PID 2716 set thread context of 2516	2716	omsecor.exe	32
PID 772 set thread context of 1452	772	omsecor.exe	35
PID 1392 set thread context of 2196	1392	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 3064	3040	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	30
PID 3040 wrote to memory of 3064	3040	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	30
PID 3040 wrote to memory of 3064	3040	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	30
PID 3040 wrote to memory of 3064	3040	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	30
PID 3040 wrote to memory of 3064	3040	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	30
PID 3040 wrote to memory of 3064	3040	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	30
PID 3064 wrote to memory of 2716	3064	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	31
PID 3064 wrote to memory of 2716	3064	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	31
PID 3064 wrote to memory of 2716	3064	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	31
PID 3064 wrote to memory of 2716	3064	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	31
PID 2716 wrote to memory of 2516	2716	omsecor.exe	32
PID 2716 wrote to memory of 2516	2716	omsecor.exe	32
PID 2716 wrote to memory of 2516	2716	omsecor.exe	32
PID 2716 wrote to memory of 2516	2716	omsecor.exe	32
PID 2716 wrote to memory of 2516	2716	omsecor.exe	32
PID 2716 wrote to memory of 2516	2716	omsecor.exe	32
PID 2516 wrote to memory of 772	2516	omsecor.exe	34
PID 2516 wrote to memory of 772	2516	omsecor.exe	34
PID 2516 wrote to memory of 772	2516	omsecor.exe	34
PID 2516 wrote to memory of 772	2516	omsecor.exe	34
PID 772 wrote to memory of 1452	772	omsecor.exe	35
PID 772 wrote to memory of 1452	772	omsecor.exe	35
PID 772 wrote to memory of 1452	772	omsecor.exe	35
PID 772 wrote to memory of 1452	772	omsecor.exe	35
PID 772 wrote to memory of 1452	772	omsecor.exe	35
PID 772 wrote to memory of 1452	772	omsecor.exe	35
PID 1452 wrote to memory of 1392	1452	omsecor.exe	36
PID 1452 wrote to memory of 1392	1452	omsecor.exe	36
PID 1452 wrote to memory of 1392	1452	omsecor.exe	36
PID 1452 wrote to memory of 1392	1452	omsecor.exe	36
PID 1392 wrote to memory of 2196	1392	omsecor.exe	37
PID 1392 wrote to memory of 2196	1392	omsecor.exe	37
PID 1392 wrote to memory of 2196	1392	omsecor.exe	37
PID 1392 wrote to memory of 2196	1392	omsecor.exe	37
PID 1392 wrote to memory of 2196	1392	omsecor.exe	37
PID 1392 wrote to memory of 2196	1392	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
"C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
  C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c8d08fd0969ae3efa590c45cd4fa1284

SHA1
a4df5ff9c1525d224fc8c958872df8edabb56c69

SHA256
aa7fe942285d6c9c7c5b89abea90a6be7504835a6024272729117ed63e919421

SHA512
08589c178eade936993f6ecd047b189a24164544c111446aef73e1d2b3113d4590058b28b992da875929d6cb7eb00162f6970ac964d6f9a5c8b8213e0d378888

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8fece7320881d0330e4b90257078f72a

SHA1
c4ac69e34a51af8134ed7d937797d643defd021f

SHA256
004f6cc34509832f8f2bb68b9bf4efb9a8db54fb9d1413363c33f0d4ffb3d011

SHA512
55c303dd7bd01ef93835c155a5e5418cc69e001e8d3bb9206dde559b06784af4709508040dba887ef5dbe888d8960048a75d7ced558e373e527c60a8f4e55191

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
31aa2b31c51d1cadb6d59b630f0d5e8b

SHA1
3ea39123811727a63dc90991b6e02b646aa1cc80

SHA256
52623e3e841b4d145cc10c7496fc5eca0ae393b3e01775d3563cd43040ff8b9c

SHA512
6f213bdf00bb4946fdde8f58cb7505ce8937cae18b0b4946297126ed07705d264daebf7b60ce1b31027b7fbed1fc1ce451688574e95cb06a86aa5e741731cd0a

Download Submit
memory/772-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/772-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1392-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1452-71-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2196-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2516-54-0x0000000001F60000-0x0000000001F83000-memory.dmp

Filesize
140KB

Download
memory/2516-47-0x0000000001F60000-0x0000000001F83000-memory.dmp

Filesize
140KB

Download
memory/2516-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2516-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2516-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2516-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2516-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2716-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3040-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3040-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3064-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3064-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download