neconyd | 95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488c

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
Size

134KB
MD5

40e2396dc161bed1a4864ebe78e50320
SHA1

242b7e4f41850080d11d81902cbbea32cf078414
SHA256

95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488c
SHA512

71188890e9856eac2275421c6d795eb40fbc321b511ad27c5c1ae51ce5aea54963d03c315dc9fa2203b4cf41975e7a133e867a5f2e3dc796340b5b6fd00c1008
SSDEEP

1536:aDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiH:8iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2000	omsecor.exe
2412	omsecor.exe
2604	omsecor.exe
1828	omsecor.exe
1656	omsecor.exe
844	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3016	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
3016	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
2000	omsecor.exe
2412	omsecor.exe
2412	omsecor.exe
1828	omsecor.exe
1828	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 3016	2136	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	30
PID 2000 set thread context of 2412	2000	omsecor.exe	32
PID 2604 set thread context of 1828	2604	omsecor.exe	36
PID 1656 set thread context of 844	1656	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3016	2136	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	30
PID 2136 wrote to memory of 3016	2136	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	30
PID 2136 wrote to memory of 3016	2136	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	30
PID 2136 wrote to memory of 3016	2136	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	30
PID 2136 wrote to memory of 3016	2136	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	30
PID 2136 wrote to memory of 3016	2136	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	30
PID 3016 wrote to memory of 2000	3016	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	31
PID 3016 wrote to memory of 2000	3016	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	31
PID 3016 wrote to memory of 2000	3016	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	31
PID 3016 wrote to memory of 2000	3016	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	31
PID 2000 wrote to memory of 2412	2000	omsecor.exe	32
PID 2000 wrote to memory of 2412	2000	omsecor.exe	32
PID 2000 wrote to memory of 2412	2000	omsecor.exe	32
PID 2000 wrote to memory of 2412	2000	omsecor.exe	32
PID 2000 wrote to memory of 2412	2000	omsecor.exe	32
PID 2000 wrote to memory of 2412	2000	omsecor.exe	32
PID 2412 wrote to memory of 2604	2412	omsecor.exe	35
PID 2412 wrote to memory of 2604	2412	omsecor.exe	35
PID 2412 wrote to memory of 2604	2412	omsecor.exe	35
PID 2412 wrote to memory of 2604	2412	omsecor.exe	35
PID 2604 wrote to memory of 1828	2604	omsecor.exe	36
PID 2604 wrote to memory of 1828	2604	omsecor.exe	36
PID 2604 wrote to memory of 1828	2604	omsecor.exe	36
PID 2604 wrote to memory of 1828	2604	omsecor.exe	36
PID 2604 wrote to memory of 1828	2604	omsecor.exe	36
PID 2604 wrote to memory of 1828	2604	omsecor.exe	36
PID 1828 wrote to memory of 1656	1828	omsecor.exe	37
PID 1828 wrote to memory of 1656	1828	omsecor.exe	37
PID 1828 wrote to memory of 1656	1828	omsecor.exe	37
PID 1828 wrote to memory of 1656	1828	omsecor.exe	37
PID 1656 wrote to memory of 844	1656	omsecor.exe	38
PID 1656 wrote to memory of 844	1656	omsecor.exe	38
PID 1656 wrote to memory of 844	1656	omsecor.exe	38
PID 1656 wrote to memory of 844	1656	omsecor.exe	38
PID 1656 wrote to memory of 844	1656	omsecor.exe	38
PID 1656 wrote to memory of 844	1656	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
"C:\Users\Admin\AppData\Local\Temp\95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
  C:\Users\Admin\AppData\Local\Temp\95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9b4ed228babe75ddc6fa28e6722ed4fe

SHA1
1156039cb072d47fe38109e8916ba3e04b26cd38

SHA256
c69e950b908a7aa1850414c1408f7819464ebf8efcc89ec9e6a53d376b6196fa

SHA512
1bb34c19add3c13a6f944b4a024c3f84fb8ab7e8f5a1bfc23432fd37b2da7c8126d957e50f476c13cb1f9bdc817b123710e78b796d236bbf3991b7aa2bbfa1e1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d17f3de7e6748c7c73117da1066dc6ec

SHA1
024fc827fe0587e19630fa7466ba7b21a53f6239

SHA256
5f0b9a9026c0c7b93ad9e599ca9499351c9e0ffa69314b72d82f3504426da729

SHA512
7cfd7903a8744eab6d2cfa8c1e201f4388e4bd8e0f1169e586ab3ff531f03622b9dbc2ca11d436dc4e04f8b60a2e8aebd49452ba8f83843be4ac1009d4424042

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
476e31fcb071644fd5fd3ac8bc058161

SHA1
cfd2dcffad9f5e75420615d6950bdb820ebc376b

SHA256
8ebeb9c99551c98131b6d792fc67841634f5f422cbd7d8aa3d3d93562406a503

SHA512
6ed26ba182e511903021623cc350855df06cd5fe0f90c7da36b74b64177ccc967289ea29a889182e177fc0cc226ac7c311200e87e9cad48f249569d6aa6b6afd

Download Submit
memory/844-84-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1656-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-75-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1828-67-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2000-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2000-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2136-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2136-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2412-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2412-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2412-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2412-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2412-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2604-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2604-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3016-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3016-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download