neconyd | 5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d

Analysis

max time kernel
116s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
Size

96KB
MD5

e23e1066967cfe27f0bad4cbab114e0e
SHA1

7f4af7f5b9c2021c553d4bec0915f1ab56c2630b
SHA256

5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d
SHA512

2f5741e0fe892e064024a84b03b9973550dfd86ab1df591f6ad11a6ff25c7333967f8c49b97362998d5ee77b0ec781bdfbada240c1d4f59c5af0ba01f89fe645
SSDEEP

1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:EGs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2416	omsecor.exe
2140	omsecor.exe
2612	omsecor.exe
764	omsecor.exe
2912	omsecor.exe
1208	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1248	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
1248	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
2416	omsecor.exe
2140	omsecor.exe
2140	omsecor.exe
764	omsecor.exe
764	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 1248	2320	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	31
PID 2416 set thread context of 2140	2416	omsecor.exe	33
PID 2612 set thread context of 764	2612	omsecor.exe	36
PID 2912 set thread context of 1208	2912	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1248	2320	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	31
PID 2320 wrote to memory of 1248	2320	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	31
PID 2320 wrote to memory of 1248	2320	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	31
PID 2320 wrote to memory of 1248	2320	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	31
PID 2320 wrote to memory of 1248	2320	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	31
PID 2320 wrote to memory of 1248	2320	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	31
PID 1248 wrote to memory of 2416	1248	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	32
PID 1248 wrote to memory of 2416	1248	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	32
PID 1248 wrote to memory of 2416	1248	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	32
PID 1248 wrote to memory of 2416	1248	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	32
PID 2416 wrote to memory of 2140	2416	omsecor.exe	33
PID 2416 wrote to memory of 2140	2416	omsecor.exe	33
PID 2416 wrote to memory of 2140	2416	omsecor.exe	33
PID 2416 wrote to memory of 2140	2416	omsecor.exe	33
PID 2416 wrote to memory of 2140	2416	omsecor.exe	33
PID 2416 wrote to memory of 2140	2416	omsecor.exe	33
PID 2140 wrote to memory of 2612	2140	omsecor.exe	35
PID 2140 wrote to memory of 2612	2140	omsecor.exe	35
PID 2140 wrote to memory of 2612	2140	omsecor.exe	35
PID 2140 wrote to memory of 2612	2140	omsecor.exe	35
PID 2612 wrote to memory of 764	2612	omsecor.exe	36
PID 2612 wrote to memory of 764	2612	omsecor.exe	36
PID 2612 wrote to memory of 764	2612	omsecor.exe	36
PID 2612 wrote to memory of 764	2612	omsecor.exe	36
PID 2612 wrote to memory of 764	2612	omsecor.exe	36
PID 2612 wrote to memory of 764	2612	omsecor.exe	36
PID 764 wrote to memory of 2912	764	omsecor.exe	37
PID 764 wrote to memory of 2912	764	omsecor.exe	37
PID 764 wrote to memory of 2912	764	omsecor.exe	37
PID 764 wrote to memory of 2912	764	omsecor.exe	37
PID 2912 wrote to memory of 1208	2912	omsecor.exe	38
PID 2912 wrote to memory of 1208	2912	omsecor.exe	38
PID 2912 wrote to memory of 1208	2912	omsecor.exe	38
PID 2912 wrote to memory of 1208	2912	omsecor.exe	38
PID 2912 wrote to memory of 1208	2912	omsecor.exe	38
PID 2912 wrote to memory of 1208	2912	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
"C:\Users\Admin\AppData\Local\Temp\5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
  C:\Users\Admin\AppData\Local\Temp\5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
48ebb298181ab30c984aede914af5c85

SHA1
51193285d5ce7d982535063fa5c70941e14ab5f5

SHA256
4e46ccb6b95b9d2c36740e1e4034e7eecfdb4febd1709f909c26a37d43a01d14

SHA512
2e49a8bb05fa159067a98574db812a80247fccc0e7d43c515a249867553d7343c1fe87e6801c70be77f47717e6533e9da04ceb757369eb7af3f5caaea37896af

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ea2419c8f008ff762eb29f2f2cf09fef

SHA1
086069c1daf4eebc18c836d33c14b1d4c749e172

SHA256
aa6a222323ee325e2d68a78bf08b1f93c7a3bcf437ebb43c28dbd29874dbefa5

SHA512
fc8b96b101a6dc84f9a6c337328ca2664693c0df4ab00b4e621bec93d8bf3235fd0038050f494f0577572c9fda9d5374b28a3327042a172036040f048b37d805

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f79ec77596a8137b204bae77224549b4

SHA1
1497284a2e480028115a062803ac5de3bc786d75

SHA256
2cce55c31369d93fa2ed5c55fc0be9566926487036ed3c1a8f187745bfb8427e

SHA512
d94d6b0e5f4668d22099fcaa2f55dfce58f306ab534518b4c39a7af0df4796208b1a9b849ecd3ad6db1e8342c3a77baf1ca1edca86da2fb4e75bdd08e2e68a89

Download Submit
memory/764-70-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1208-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1248-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-47-0x0000000000320000-0x0000000000343000-memory.dmp

Filesize
140KB

Download
memory/2320-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2320-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2416-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2416-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2416-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2612-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2912-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2912-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download