neconyd | 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/01/2025, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
Size

96KB
MD5

814733274f353ce8fc4f848ededbe1d0
SHA1

09f8833933b33adffe648fdc6c7723e8e2a89a57
SHA256

6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89
SHA512

4e0a8812c1622b82a4805258bd1b82565599eb9070f6bf9eb172adadfec30365192349792b45184f3ec7efccb0ce02c3bb31970f103df31813e15342206ff5dc
SSDEEP

1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:EGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2852	omsecor.exe
2856	omsecor.exe
580	omsecor.exe
1680	omsecor.exe
2556	omsecor.exe
2172	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2684	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
2684	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
2852	omsecor.exe
2856	omsecor.exe
2856	omsecor.exe
1680	omsecor.exe
1680	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2412 set thread context of 2684	2412	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	31
PID 2852 set thread context of 2856	2852	omsecor.exe	33
PID 580 set thread context of 1680	580	omsecor.exe	37
PID 2556 set thread context of 2172	2556	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2684	2412	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	31
PID 2412 wrote to memory of 2684	2412	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	31
PID 2412 wrote to memory of 2684	2412	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	31
PID 2412 wrote to memory of 2684	2412	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	31
PID 2412 wrote to memory of 2684	2412	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	31
PID 2412 wrote to memory of 2684	2412	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	31
PID 2684 wrote to memory of 2852	2684	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	32
PID 2684 wrote to memory of 2852	2684	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	32
PID 2684 wrote to memory of 2852	2684	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	32
PID 2684 wrote to memory of 2852	2684	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	32
PID 2852 wrote to memory of 2856	2852	omsecor.exe	33
PID 2852 wrote to memory of 2856	2852	omsecor.exe	33
PID 2852 wrote to memory of 2856	2852	omsecor.exe	33
PID 2852 wrote to memory of 2856	2852	omsecor.exe	33
PID 2852 wrote to memory of 2856	2852	omsecor.exe	33
PID 2852 wrote to memory of 2856	2852	omsecor.exe	33
PID 2856 wrote to memory of 580	2856	omsecor.exe	36
PID 2856 wrote to memory of 580	2856	omsecor.exe	36
PID 2856 wrote to memory of 580	2856	omsecor.exe	36
PID 2856 wrote to memory of 580	2856	omsecor.exe	36
PID 580 wrote to memory of 1680	580	omsecor.exe	37
PID 580 wrote to memory of 1680	580	omsecor.exe	37
PID 580 wrote to memory of 1680	580	omsecor.exe	37
PID 580 wrote to memory of 1680	580	omsecor.exe	37
PID 580 wrote to memory of 1680	580	omsecor.exe	37
PID 580 wrote to memory of 1680	580	omsecor.exe	37
PID 1680 wrote to memory of 2556	1680	omsecor.exe	38
PID 1680 wrote to memory of 2556	1680	omsecor.exe	38
PID 1680 wrote to memory of 2556	1680	omsecor.exe	38
PID 1680 wrote to memory of 2556	1680	omsecor.exe	38
PID 2556 wrote to memory of 2172	2556	omsecor.exe	39
PID 2556 wrote to memory of 2172	2556	omsecor.exe	39
PID 2556 wrote to memory of 2172	2556	omsecor.exe	39
PID 2556 wrote to memory of 2172	2556	omsecor.exe	39
PID 2556 wrote to memory of 2172	2556	omsecor.exe	39
PID 2556 wrote to memory of 2172	2556	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
"C:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
  C:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:580
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
6ebfdd297b8dbfdda90e46785788f35b

SHA1
a7fac01130f84b7827df1d7fdac4bba2fde58762

SHA256
d38259ea04d6c7ea46c4cecbeb2bc90c923bff6489c34fbd4d7b9a4b906c7166

SHA512
9160b5b22a08645e602cef60333bc3181a8d043113bbe55cdd450a6fac603b7be179b6af01e9ea2b55e8109d817cd408f1fd8009d54663b19e5f74bf6a3615e5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b82013e755f4aace44fa10f6071d168f

SHA1
f8c03409d9bbf4a6fa6123e5baf0f13a44f85b86

SHA256
10a432577754c88bf8c2d9a476f1afe63fb72fc79c8ccb3b4be7c771f55162c4

SHA512
b81b2332934455276e777e3cd1c71d4d1638a4167f8036981cc6bcc1d7dee1bd49b9506f29e3c6ad5c98d6a78d154c75da61bd97ba6c5b72e5318caa254ede1e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
3ceedaf0cd37ce66bf3a2277803a27b4

SHA1
d1853f6a36dad1e721f6b0c63a281b4a799e9ae6

SHA256
38c8a25d73dedab66d7e8c472d1eb1f2768f29f213b50d9a200bc71e4bafe570

SHA512
08e9f512a282b5cc6ab32319787462a8b9ac66f95841c4fcb668d818341a06920051cb092dfb1dda0b8a574adc4244a9702682a9f7d34dda7b009af9e066f580

Download Submit
memory/580-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/580-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1680-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2172-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2412-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2412-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2556-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2556-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2684-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2684-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-24-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2852-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2856-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-47-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2856-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download