neconyd | 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/01/2025, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
Size

96KB
MD5

5ec2d98eed16ff460b007d4e1906b847
SHA1

083ea682b0221622e57184ba39a8a15477a426fd
SHA256

7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345
SHA512

65d570166147941bfb8a52c4f09c2502bb070b083b92d9177b7f1a5906da2a28197bdc31cc4bf7f9326ce68fd52e59c318191610829d0c29e610faeb3249a793
SSDEEP

1536:anAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:aGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2892	omsecor.exe
2720	omsecor.exe
2780	omsecor.exe
1148	omsecor.exe
2772	omsecor.exe
2484	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2988	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
2988	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
2892	omsecor.exe
2720	omsecor.exe
2720	omsecor.exe
1148	omsecor.exe
1148	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 2988	2860	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe	30
PID 2892 set thread context of 2720	2892	omsecor.exe	32
PID 2780 set thread context of 1148	2780	omsecor.exe	36
PID 2772 set thread context of 2484	2772	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2988	2860	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe	30
PID 2860 wrote to memory of 2988	2860	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe	30
PID 2860 wrote to memory of 2988	2860	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe	30
PID 2860 wrote to memory of 2988	2860	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe	30
PID 2860 wrote to memory of 2988	2860	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe	30
PID 2860 wrote to memory of 2988	2860	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe	30
PID 2988 wrote to memory of 2892	2988	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe	31
PID 2988 wrote to memory of 2892	2988	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe	31
PID 2988 wrote to memory of 2892	2988	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe	31
PID 2988 wrote to memory of 2892	2988	7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe	31
PID 2892 wrote to memory of 2720	2892	omsecor.exe	32
PID 2892 wrote to memory of 2720	2892	omsecor.exe	32
PID 2892 wrote to memory of 2720	2892	omsecor.exe	32
PID 2892 wrote to memory of 2720	2892	omsecor.exe	32
PID 2892 wrote to memory of 2720	2892	omsecor.exe	32
PID 2892 wrote to memory of 2720	2892	omsecor.exe	32
PID 2720 wrote to memory of 2780	2720	omsecor.exe	35
PID 2720 wrote to memory of 2780	2720	omsecor.exe	35
PID 2720 wrote to memory of 2780	2720	omsecor.exe	35
PID 2720 wrote to memory of 2780	2720	omsecor.exe	35
PID 2780 wrote to memory of 1148	2780	omsecor.exe	36
PID 2780 wrote to memory of 1148	2780	omsecor.exe	36
PID 2780 wrote to memory of 1148	2780	omsecor.exe	36
PID 2780 wrote to memory of 1148	2780	omsecor.exe	36
PID 2780 wrote to memory of 1148	2780	omsecor.exe	36
PID 2780 wrote to memory of 1148	2780	omsecor.exe	36
PID 1148 wrote to memory of 2772	1148	omsecor.exe	37
PID 1148 wrote to memory of 2772	1148	omsecor.exe	37
PID 1148 wrote to memory of 2772	1148	omsecor.exe	37
PID 1148 wrote to memory of 2772	1148	omsecor.exe	37
PID 2772 wrote to memory of 2484	2772	omsecor.exe	38
PID 2772 wrote to memory of 2484	2772	omsecor.exe	38
PID 2772 wrote to memory of 2484	2772	omsecor.exe	38
PID 2772 wrote to memory of 2484	2772	omsecor.exe	38
PID 2772 wrote to memory of 2484	2772	omsecor.exe	38
PID 2772 wrote to memory of 2484	2772	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
"C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
  C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
23d1cf278ac56ac9435ba38ab08205bf

SHA1
88821ebd6beff95e06b8cdda9769a226792e12e7

SHA256
f8ae97a2442f7a0d7c37b633de740a13ec45c0b06390080e85f34312e5377f28

SHA512
458e47b01a62750aa97b1d163077695bd0b493f9674ebb2a3105b5c6b592f86fb80d0889e6b1402be57326fb084119b16ff66cc3bd1cb825a894ce4723d904ad

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e682c1925b9ed7113958cdf381418d4d

SHA1
3268466b6d2272a9e56c25147eb00aad42f9907b

SHA256
b539bfd50645c1d94ef1b97bc889b53f8eae8c5bc16c3620ffbabef78345920e

SHA512
c01b2c74c0159b14b9e33cb8a551ba1b904bbc2c708a2a3b4972f46a990f092c26c4b559cb8b4b8fdaf9330aa3f6082291f75c901e05d6edefb27a1cce263bbd

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
cfecf868a5d956bc168b18a924761b24

SHA1
2d00d25776209ff2507076f752a64a243a713fe1

SHA256
95411bb623c5489a783535b5b8aaec35e10c0fa0165c5be40aa2b1fdb04649f7

SHA512
da0b963061daca080b2b980bb9a54dbb2ff66a6571863fe62bc4efeaf66b2a2477391d60432452d96d4192d2b22a32c1b17db6f3d0193113aa34fa760fdf2fed

Download Submit
memory/1148-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2484-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2484-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-47-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2720-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2772-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2772-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2780-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2780-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2860-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2860-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2892-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2892-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2892-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2988-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2988-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download