neconyd | c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
Size

96KB
MD5

db7b422f5b010b0473a544c5014ebfe0
SHA1

d0c3a080ce186aff0c6ca776c3b99d62b53d36ed
SHA256

c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3
SHA512

e319b6c244157ca4438b4bfb4e5e7de807aa56d5c82c241ac89a930144f47f369d39f8e25c7dcfce8eec78fbdf8838f874390a80f685cad0345f345d418d8f14
SSDEEP

1536:jnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxJ:jGs8cd8eXlYairZYqMddH13J

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2808	omsecor.exe
2684	omsecor.exe
2888	omsecor.exe
1792	omsecor.exe
2124	omsecor.exe
1632	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1364	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
1364	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
2808	omsecor.exe
2684	omsecor.exe
2684	omsecor.exe
1792	omsecor.exe
1792	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 1364	2644	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	30
PID 2808 set thread context of 2684	2808	omsecor.exe	32
PID 2888 set thread context of 1792	2888	omsecor.exe	36
PID 2124 set thread context of 1632	2124	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1364	2644	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	30
PID 2644 wrote to memory of 1364	2644	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	30
PID 2644 wrote to memory of 1364	2644	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	30
PID 2644 wrote to memory of 1364	2644	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	30
PID 2644 wrote to memory of 1364	2644	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	30
PID 2644 wrote to memory of 1364	2644	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	30
PID 1364 wrote to memory of 2808	1364	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	31
PID 1364 wrote to memory of 2808	1364	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	31
PID 1364 wrote to memory of 2808	1364	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	31
PID 1364 wrote to memory of 2808	1364	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	31
PID 2808 wrote to memory of 2684	2808	omsecor.exe	32
PID 2808 wrote to memory of 2684	2808	omsecor.exe	32
PID 2808 wrote to memory of 2684	2808	omsecor.exe	32
PID 2808 wrote to memory of 2684	2808	omsecor.exe	32
PID 2808 wrote to memory of 2684	2808	omsecor.exe	32
PID 2808 wrote to memory of 2684	2808	omsecor.exe	32
PID 2684 wrote to memory of 2888	2684	omsecor.exe	35
PID 2684 wrote to memory of 2888	2684	omsecor.exe	35
PID 2684 wrote to memory of 2888	2684	omsecor.exe	35
PID 2684 wrote to memory of 2888	2684	omsecor.exe	35
PID 2888 wrote to memory of 1792	2888	omsecor.exe	36
PID 2888 wrote to memory of 1792	2888	omsecor.exe	36
PID 2888 wrote to memory of 1792	2888	omsecor.exe	36
PID 2888 wrote to memory of 1792	2888	omsecor.exe	36
PID 2888 wrote to memory of 1792	2888	omsecor.exe	36
PID 2888 wrote to memory of 1792	2888	omsecor.exe	36
PID 1792 wrote to memory of 2124	1792	omsecor.exe	37
PID 1792 wrote to memory of 2124	1792	omsecor.exe	37
PID 1792 wrote to memory of 2124	1792	omsecor.exe	37
PID 1792 wrote to memory of 2124	1792	omsecor.exe	37
PID 2124 wrote to memory of 1632	2124	omsecor.exe	38
PID 2124 wrote to memory of 1632	2124	omsecor.exe	38
PID 2124 wrote to memory of 1632	2124	omsecor.exe	38
PID 2124 wrote to memory of 1632	2124	omsecor.exe	38
PID 2124 wrote to memory of 1632	2124	omsecor.exe	38
PID 2124 wrote to memory of 1632	2124	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
"C:\Users\Admin\AppData\Local\Temp\c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
  C:\Users\Admin\AppData\Local\Temp\c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
2aed31ff0df4d34a3e71918f2a13be03

SHA1
b18fa3a7d34d72cbc665073ab895c7cd38310d2d

SHA256
81faaf01155fee7b19fcb3cce84f852c9d1b72d5e38186864cef2ef8274a6885

SHA512
887892458bb6296cf614b25803e6642637f59cc308483e2038f902dce5ddadb025d22d2d0a30191a3baedfc33ff47ec33d30fbd8bfc026199e06684e5b3e1503

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
90052892383003eb4ab19f4915422642

SHA1
08657c102912402a8b9ed1f4367104db2cfa4edc

SHA256
f7646e5b46c9e75abc235da085fa57cd79e8c5bac2c3450bea36ff6cfa0ccbb0

SHA512
3cb66167042fc2c85b71132b2887de15a5554f332773c3548caf5ed65003092be114905beaf23be9d4e6bbdc5b0a17906c9b77e986280321500b0246765c708e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
59039295872fb0b941b03a158dca1ab1

SHA1
9a4b18475ef96fdcd0c12d0fc9ae0130fcc4d36f

SHA256
43e0b76c4ee42bcc7cbb879cdf6b86f60f028ff91256d5d5b352d902010d30b4

SHA512
7e185a0249e903362500a60a4347135ef86c68136a88511e0f4531788195505ca9c51dcc37665b93035104470ed733a8666e5875f671aac9e2665c494b961f6a

Download Submit
memory/1364-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1364-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1364-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1364-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1364-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1364-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1632-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1792-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2124-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2124-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2644-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2644-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2684-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-47-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2684-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2808-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2888-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2888-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download