neconyd | 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db

Analysis

max time kernel
115s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/01/2025, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
Size

96KB
MD5

424f283b670f5184ae95851fe76a3603
SHA1

e95026178513a139cf4c9d44f37d1142bb8559ce
SHA256

0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db
SHA512

a11068534d6917d2bc4a5d985606ad9dc4b5f1c5dc506bd3bae6ee7e251c3c41e53d9b27abcc1712bbc70ef6417436cf7b2fe17cd80bce2adc4bdfb7a2262210
SSDEEP

1536:WnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:WGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3040	omsecor.exe
2760	omsecor.exe
1788	omsecor.exe
996	omsecor.exe
280	omsecor.exe
2444	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2532	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
2532	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
3040	omsecor.exe
2760	omsecor.exe
2760	omsecor.exe
996	omsecor.exe
996	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 2532	2484	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	30
PID 3040 set thread context of 2760	3040	omsecor.exe	32
PID 1788 set thread context of 996	1788	omsecor.exe	36
PID 280 set thread context of 2444	280	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2532	2484	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	30
PID 2484 wrote to memory of 2532	2484	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	30
PID 2484 wrote to memory of 2532	2484	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	30
PID 2484 wrote to memory of 2532	2484	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	30
PID 2484 wrote to memory of 2532	2484	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	30
PID 2484 wrote to memory of 2532	2484	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	30
PID 2532 wrote to memory of 3040	2532	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	31
PID 2532 wrote to memory of 3040	2532	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	31
PID 2532 wrote to memory of 3040	2532	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	31
PID 2532 wrote to memory of 3040	2532	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	31
PID 3040 wrote to memory of 2760	3040	omsecor.exe	32
PID 3040 wrote to memory of 2760	3040	omsecor.exe	32
PID 3040 wrote to memory of 2760	3040	omsecor.exe	32
PID 3040 wrote to memory of 2760	3040	omsecor.exe	32
PID 3040 wrote to memory of 2760	3040	omsecor.exe	32
PID 3040 wrote to memory of 2760	3040	omsecor.exe	32
PID 2760 wrote to memory of 1788	2760	omsecor.exe	35
PID 2760 wrote to memory of 1788	2760	omsecor.exe	35
PID 2760 wrote to memory of 1788	2760	omsecor.exe	35
PID 2760 wrote to memory of 1788	2760	omsecor.exe	35
PID 1788 wrote to memory of 996	1788	omsecor.exe	36
PID 1788 wrote to memory of 996	1788	omsecor.exe	36
PID 1788 wrote to memory of 996	1788	omsecor.exe	36
PID 1788 wrote to memory of 996	1788	omsecor.exe	36
PID 1788 wrote to memory of 996	1788	omsecor.exe	36
PID 1788 wrote to memory of 996	1788	omsecor.exe	36
PID 996 wrote to memory of 280	996	omsecor.exe	37
PID 996 wrote to memory of 280	996	omsecor.exe	37
PID 996 wrote to memory of 280	996	omsecor.exe	37
PID 996 wrote to memory of 280	996	omsecor.exe	37
PID 280 wrote to memory of 2444	280	omsecor.exe	38
PID 280 wrote to memory of 2444	280	omsecor.exe	38
PID 280 wrote to memory of 2444	280	omsecor.exe	38
PID 280 wrote to memory of 2444	280	omsecor.exe	38
PID 280 wrote to memory of 2444	280	omsecor.exe	38
PID 280 wrote to memory of 2444	280	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
"C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
  C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
53966f9be167af83b0ba210b95aa4a6e

SHA1
c6dd9bf60a28b3112f07d83603baf83dbffad9c0

SHA256
0d70416395b922c2b4e43afc07122734f46911f80ff8886bad5890018aed205a

SHA512
b04ca4174a788a320bc6f17d06527200c357b293b2d5b064b605a8ba24f3f5a55c8b383b8def35e9454ab8dfb7d0e9a9a4124369d024553b67e7430e81fcc834

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
67ba256ad3ce42e329f957afecc53b1c

SHA1
3c47d8dfab424d380346ca146fa1f40de23835cd

SHA256
19cb46945cc3773f307c33886db970a1ebed8753c40244db11e41b6b39088012

SHA512
897b1fb963609939d84281e4e205ae46da0e95d23ce569083fc4f4e93801633b5ae2776677c13ef5b64623a837c696ea990cc26f0c9170d3368f97c642fc6bb9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
8bbf5ec28b6cf69904841b4efdec0d8f

SHA1
ca8fb0842eca9c9b102bc846f43551f4827349bc

SHA256
a24b5bbb3434b5b18cc49fecab6fd2693abe1b6248fcea1681e6de057e886f93

SHA512
626f4dbc54b2a9e828fd31b67c4952269dd61866e987db7fd9b954d9d7d261df3bfc89a78241f35f972d1c17ed301b2140dea41fd09849d00dcce0e4bcaa2905

Download Submit
memory/280-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/280-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/996-73-0x0000000000260000-0x0000000000283000-memory.dmp

Filesize
140KB

Download
memory/1788-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2444-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2484-1-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2484-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2484-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2532-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2532-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2532-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2532-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-48-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2760-54-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2760-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3040-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3040-25-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/3040-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download