neconyd | d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34

Analysis

max time kernel
116s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/01/2025, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
Size

96KB
MD5

bd7713ed8422c64dff66486d55ce4a50
SHA1

5d94eb3814fcc4b464f025075ccf78aa7789b71f
SHA256

d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34
SHA512

c4482819a5463759c1a79c14147472ce1542eb175d788d394358ea3ee70909dde733f2b0523e240abda86ea339479081d0f4d75eef74a75a89e06876573c9ac5
SSDEEP

1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxJ:4Gs8cd8eXlYairZYqMddH13J

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2988	omsecor.exe
2484	omsecor.exe
972	omsecor.exe
2504	omsecor.exe
836	omsecor.exe
840	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2216	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
2216	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
2988	omsecor.exe
2484	omsecor.exe
2484	omsecor.exe
2504	omsecor.exe
2504	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 2216	2304	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe	29
PID 2988 set thread context of 2484	2988	omsecor.exe	31
PID 972 set thread context of 2504	972	omsecor.exe	34
PID 836 set thread context of 840	836	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2216	2304	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe	29
PID 2304 wrote to memory of 2216	2304	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe	29
PID 2304 wrote to memory of 2216	2304	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe	29
PID 2304 wrote to memory of 2216	2304	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe	29
PID 2304 wrote to memory of 2216	2304	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe	29
PID 2304 wrote to memory of 2216	2304	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe	29
PID 2216 wrote to memory of 2988	2216	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe	30
PID 2216 wrote to memory of 2988	2216	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe	30
PID 2216 wrote to memory of 2988	2216	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe	30
PID 2216 wrote to memory of 2988	2216	d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe	30
PID 2988 wrote to memory of 2484	2988	omsecor.exe	31
PID 2988 wrote to memory of 2484	2988	omsecor.exe	31
PID 2988 wrote to memory of 2484	2988	omsecor.exe	31
PID 2988 wrote to memory of 2484	2988	omsecor.exe	31
PID 2988 wrote to memory of 2484	2988	omsecor.exe	31
PID 2988 wrote to memory of 2484	2988	omsecor.exe	31
PID 2484 wrote to memory of 972	2484	omsecor.exe	33
PID 2484 wrote to memory of 972	2484	omsecor.exe	33
PID 2484 wrote to memory of 972	2484	omsecor.exe	33
PID 2484 wrote to memory of 972	2484	omsecor.exe	33
PID 972 wrote to memory of 2504	972	omsecor.exe	34
PID 972 wrote to memory of 2504	972	omsecor.exe	34
PID 972 wrote to memory of 2504	972	omsecor.exe	34
PID 972 wrote to memory of 2504	972	omsecor.exe	34
PID 972 wrote to memory of 2504	972	omsecor.exe	34
PID 972 wrote to memory of 2504	972	omsecor.exe	34
PID 2504 wrote to memory of 836	2504	omsecor.exe	35
PID 2504 wrote to memory of 836	2504	omsecor.exe	35
PID 2504 wrote to memory of 836	2504	omsecor.exe	35
PID 2504 wrote to memory of 836	2504	omsecor.exe	35
PID 836 wrote to memory of 840	836	omsecor.exe	36
PID 836 wrote to memory of 840	836	omsecor.exe	36
PID 836 wrote to memory of 840	836	omsecor.exe	36
PID 836 wrote to memory of 840	836	omsecor.exe	36
PID 836 wrote to memory of 840	836	omsecor.exe	36
PID 836 wrote to memory of 840	836	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
"C:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
  C:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:972
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3a090f39f732307373380b0a33b6806d

SHA1
41606e9188d956b1c3683ac588c3d4a0d4e994ae

SHA256
33e6e6c57e92b416ccf86d428c95ab2bc7ef48b36436191e89abe57cb02d425d

SHA512
8c4a92947298ad2737a4a926277763ddf4c8b1880ae17ef9fcb87ebc5e7927663352459267fc394bce31459e7871f6e846b8528424927e2ecc81ab14ceb457b3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e2685e4a55e061c4ef957a1ea754d226

SHA1
7d9ae2c64c6475118056d8e9a779ad1d15b8220f

SHA256
8a59b11af8ad2f0523084f0ce4904f3859dfdfb6e4b2f8b6f6fc75fbf51ef7b7

SHA512
749d7a3765a460c41f7d9cea5a74664859fc405286f568f7eba89a9bdf13235f99e9b9d47feba2659babc195ca3877b1131830f989fce33cceae13c0cfc0e3f9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b9b07e638f19002bf42b1b255c6ab1d7

SHA1
91821e14f51f99bdface0489b58dfeb9abbd36fe

SHA256
bcef61bbd14147316e514f5f79d25776a7bb07091b67c57eef7bea63bd7cbc88

SHA512
11ecf64ccc8e139389324c9909ff2e8e0ec01239f321f1ce3cb0e184309d875e4dd8f473a923ebe15a93e8741f944fde9e0997c657d0b7d8f8cb1728dce1bf6c

Download Submit
memory/836-82-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/836-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/840-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/972-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/972-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2216-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-13-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2216-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2304-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2304-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2484-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2484-49-0x00000000004A0000-0x00000000004C3000-memory.dmp

Filesize
140KB

Download
memory/2484-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2484-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2484-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2484-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-80-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2504-78-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2988-25-0x0000000000270000-0x0000000000293000-memory.dmp

Filesize
140KB

Download
memory/2988-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2988-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download