neconyd | 2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
Size

134KB
MD5

ffd393c95099a09f7fa9e5af1071da2c
SHA1

4dce504ca96b683483bc13db23810c116142b8ea
SHA256

2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46
SHA512

5563c114746c8e4fb660f2c0f8f9f3355e19e22118df346b049c9f2387a390c2ec33defc2fcfcbbe94cb9c81045ba873df7c2196dbf4ee8dd0299f2cbec76b82
SSDEEP

1536:aDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiv:8iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2148	omsecor.exe
2164	omsecor.exe
1936	omsecor.exe
1268	omsecor.exe
2604	omsecor.exe
2584	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2940	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
2940	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
2148	omsecor.exe
2164	omsecor.exe
2164	omsecor.exe
1268	omsecor.exe
1268	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 2940	2192	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	31
PID 2148 set thread context of 2164	2148	omsecor.exe	33
PID 1936 set thread context of 1268	1936	omsecor.exe	37
PID 2604 set thread context of 2584	2604	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2940	2192	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	31
PID 2192 wrote to memory of 2940	2192	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	31
PID 2192 wrote to memory of 2940	2192	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	31
PID 2192 wrote to memory of 2940	2192	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	31
PID 2192 wrote to memory of 2940	2192	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	31
PID 2192 wrote to memory of 2940	2192	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	31
PID 2940 wrote to memory of 2148	2940	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	32
PID 2940 wrote to memory of 2148	2940	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	32
PID 2940 wrote to memory of 2148	2940	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	32
PID 2940 wrote to memory of 2148	2940	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	32
PID 2148 wrote to memory of 2164	2148	omsecor.exe	33
PID 2148 wrote to memory of 2164	2148	omsecor.exe	33
PID 2148 wrote to memory of 2164	2148	omsecor.exe	33
PID 2148 wrote to memory of 2164	2148	omsecor.exe	33
PID 2148 wrote to memory of 2164	2148	omsecor.exe	33
PID 2148 wrote to memory of 2164	2148	omsecor.exe	33
PID 2164 wrote to memory of 1936	2164	omsecor.exe	36
PID 2164 wrote to memory of 1936	2164	omsecor.exe	36
PID 2164 wrote to memory of 1936	2164	omsecor.exe	36
PID 2164 wrote to memory of 1936	2164	omsecor.exe	36
PID 1936 wrote to memory of 1268	1936	omsecor.exe	37
PID 1936 wrote to memory of 1268	1936	omsecor.exe	37
PID 1936 wrote to memory of 1268	1936	omsecor.exe	37
PID 1936 wrote to memory of 1268	1936	omsecor.exe	37
PID 1936 wrote to memory of 1268	1936	omsecor.exe	37
PID 1936 wrote to memory of 1268	1936	omsecor.exe	37
PID 1268 wrote to memory of 2604	1268	omsecor.exe	38
PID 1268 wrote to memory of 2604	1268	omsecor.exe	38
PID 1268 wrote to memory of 2604	1268	omsecor.exe	38
PID 1268 wrote to memory of 2604	1268	omsecor.exe	38
PID 2604 wrote to memory of 2584	2604	omsecor.exe	39
PID 2604 wrote to memory of 2584	2604	omsecor.exe	39
PID 2604 wrote to memory of 2584	2604	omsecor.exe	39
PID 2604 wrote to memory of 2584	2604	omsecor.exe	39
PID 2604 wrote to memory of 2584	2604	omsecor.exe	39
PID 2604 wrote to memory of 2584	2604	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
"C:\Users\Admin\AppData\Local\Temp\2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
  C:\Users\Admin\AppData\Local\Temp\2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e39c759d06f52d4c0ed51fefebdc2342

SHA1
a99877f6d34653c4163fdc5cede9b70e61f492f1

SHA256
fa09cdfb7306cf78105dfc7eb06ae6969fe4770c5ef8e20a10cf646c2836ceb5

SHA512
74e6ba03b811ccecec58a663e5178ef6d129d5efb1300f8eff91374575f8f4a042b9bbd22e3ec2c49930b1b11597a4524ccdab3f026317760e14db666888957e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
83da18e0f67afadeeae12ee786f1d6c2

SHA1
da5465f8eab2288443cf67b27ecafb910c667775

SHA256
5a855f8619db1045964eeb2313c38032297086b2c48b5516c790a58f7a45531b

SHA512
e554bba37a2b801027e4484788881d9163488a933b200fa78b675e4b9b4324d32ec3167bd0bb94c9e091486c6a300e5e648c7be9f998e4722bc204f480768f1b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
5602dae37ccfa533fadb4bb95a9e25fe

SHA1
490f00a6a28b85166c4e89bd09eedf83577a2a15

SHA256
dd3ead5c04c0a2177ecf742b2612276a078f8682692b3922b6d280c2bc97ecee

SHA512
0ca9ebce29344cc8f70ee54d643707d47b724fc06d7d43dcb713da5f8249d787a06f7a5c6ef174e61d5737c337f4187285bb53c6af2ac95a992c31711a5b84e4

Download Submit
memory/1936-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1936-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2148-23-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2148-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2148-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2164-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2164-46-0x0000000000310000-0x0000000000334000-memory.dmp

Filesize
144KB

Download
memory/2164-52-0x0000000000310000-0x0000000000334000-memory.dmp

Filesize
144KB

Download
memory/2164-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2164-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2164-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2164-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2192-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2584-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2604-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2604-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2940-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2940-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2940-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download