neconyd | 9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe
Size

134KB
MD5

7e24c5ea6b190011e71e9cac4f7595d0
SHA1

de15ef57cfe63e8632279ed147b4f74b8bbc9f4c
SHA256

9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2
SHA512

da2bececc40ae17401bda67c97b6ab3f2215940fb6d5e6052e7549c7f0b50a31eb8a1c1c977a1cbf7e58a4bfbf32f788851a74397b438faf6881b54a40a43006
SSDEEP

1536:7DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCid:3iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2936	omsecor.exe
2636	omsecor.exe
1168	omsecor.exe
2072	omsecor.exe
2068	omsecor.exe
2380	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2856	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe
2856	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe
2936	omsecor.exe
2636	omsecor.exe
2636	omsecor.exe
2072	omsecor.exe
2072	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2856	2708	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe	31
PID 2936 set thread context of 2636	2936	omsecor.exe	33
PID 1168 set thread context of 2072	1168	omsecor.exe	37
PID 2068 set thread context of 2380	2068	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2856	2708	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe	31
PID 2708 wrote to memory of 2856	2708	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe	31
PID 2708 wrote to memory of 2856	2708	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe	31
PID 2708 wrote to memory of 2856	2708	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe	31
PID 2708 wrote to memory of 2856	2708	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe	31
PID 2708 wrote to memory of 2856	2708	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe	31
PID 2856 wrote to memory of 2936	2856	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe	32
PID 2856 wrote to memory of 2936	2856	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe	32
PID 2856 wrote to memory of 2936	2856	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe	32
PID 2856 wrote to memory of 2936	2856	9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe	32
PID 2936 wrote to memory of 2636	2936	omsecor.exe	33
PID 2936 wrote to memory of 2636	2936	omsecor.exe	33
PID 2936 wrote to memory of 2636	2936	omsecor.exe	33
PID 2936 wrote to memory of 2636	2936	omsecor.exe	33
PID 2936 wrote to memory of 2636	2936	omsecor.exe	33
PID 2936 wrote to memory of 2636	2936	omsecor.exe	33
PID 2636 wrote to memory of 1168	2636	omsecor.exe	36
PID 2636 wrote to memory of 1168	2636	omsecor.exe	36
PID 2636 wrote to memory of 1168	2636	omsecor.exe	36
PID 2636 wrote to memory of 1168	2636	omsecor.exe	36
PID 1168 wrote to memory of 2072	1168	omsecor.exe	37
PID 1168 wrote to memory of 2072	1168	omsecor.exe	37
PID 1168 wrote to memory of 2072	1168	omsecor.exe	37
PID 1168 wrote to memory of 2072	1168	omsecor.exe	37
PID 1168 wrote to memory of 2072	1168	omsecor.exe	37
PID 1168 wrote to memory of 2072	1168	omsecor.exe	37
PID 2072 wrote to memory of 2068	2072	omsecor.exe	38
PID 2072 wrote to memory of 2068	2072	omsecor.exe	38
PID 2072 wrote to memory of 2068	2072	omsecor.exe	38
PID 2072 wrote to memory of 2068	2072	omsecor.exe	38
PID 2068 wrote to memory of 2380	2068	omsecor.exe	39
PID 2068 wrote to memory of 2380	2068	omsecor.exe	39
PID 2068 wrote to memory of 2380	2068	omsecor.exe	39
PID 2068 wrote to memory of 2380	2068	omsecor.exe	39
PID 2068 wrote to memory of 2380	2068	omsecor.exe	39
PID 2068 wrote to memory of 2380	2068	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe
"C:\Users\Admin\AppData\Local\Temp\9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe
  C:\Users\Admin\AppData\Local\Temp\9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
ddb1ebf28d678b17251adfde4c4dce7c

SHA1
00e06e873f93dcbc219ae611e1736ad414976999

SHA256
1c2cc2e3dab03fa8b2e17d99727fcdcdf2875ba98169dbbe86ca800caa1d8fed

SHA512
01752ad6461e06e0d023f6a2dc1f02b6c02091ffc45e5b0f768de51d71ed6a6dc84a78ff40f8f6c810d294f4d7d3a214ef546e4136b8bdb15e70ea4b6506bb78

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d4fbfc0639a01074d1d89c37bd7ee979

SHA1
9048039a6546322ab16b8bb311db5dd1d2ff31ee

SHA256
ba89da6a05341d9bded41e6457a606ec80ece70a2478f03ce4fe0891b3c60851

SHA512
bd9dba47246b8b14bd63b7468ae39fce8df21f96eaf469f4f74e090eed77a8884db8e435540c79239e15ae1e3c1e155326476ccc1c41a9a8a09303872d152411

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
2b07bb627dfc3384bea836c273bbc527

SHA1
108a495654cecaba7a94856e4f61732065614c23

SHA256
6bfbe885ff898da0d76a5e7c7d1d6e4894f1e2514f373db03fc73004aa3c995e

SHA512
4256c8a333c2d743b81132cd0fc1618c64bc69192e31788f96f1630a68488a49a639d3f21cf3c49b29ab7fd587db82cddbfb71f817e8ab96514c838f72696bed

Download Submit
memory/1168-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1168-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2068-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2068-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2072-70-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/2380-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-46-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2636-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-1-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2708-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2856-14-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2856-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2936-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download