neconyd | ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4

Analysis

max time kernel
116s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe
Size

96KB
MD5

28bddfa5d0097af654ebbc6202aac5d0
SHA1

7fb0227abbb80c4dd8cfda65eb637b46cbbbc342
SHA256

ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4
SHA512

8b4298e7b5e81cc1dc2c08548cb3d8edebe4ae58ad84a08fe45368d0c07b8a8a60fb23a2b70b3165611f5e5a149050d03e07bd9b900a587be7552771a1ec0121
SSDEEP

1536:KnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:KGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2872	omsecor.exe
2684	omsecor.exe
580	omsecor.exe
2420	omsecor.exe
2440	omsecor.exe
1476	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1452	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe
1452	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe
2872	omsecor.exe
2684	omsecor.exe
2684	omsecor.exe
2420	omsecor.exe
2420	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2904 set thread context of 1452	2904	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe	30
PID 2872 set thread context of 2684	2872	omsecor.exe	32
PID 580 set thread context of 2420	580	omsecor.exe	35
PID 2440 set thread context of 1476	2440	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1452	2904	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe	30
PID 2904 wrote to memory of 1452	2904	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe	30
PID 2904 wrote to memory of 1452	2904	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe	30
PID 2904 wrote to memory of 1452	2904	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe	30
PID 2904 wrote to memory of 1452	2904	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe	30
PID 2904 wrote to memory of 1452	2904	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe	30
PID 1452 wrote to memory of 2872	1452	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe	31
PID 1452 wrote to memory of 2872	1452	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe	31
PID 1452 wrote to memory of 2872	1452	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe	31
PID 1452 wrote to memory of 2872	1452	ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe	31
PID 2872 wrote to memory of 2684	2872	omsecor.exe	32
PID 2872 wrote to memory of 2684	2872	omsecor.exe	32
PID 2872 wrote to memory of 2684	2872	omsecor.exe	32
PID 2872 wrote to memory of 2684	2872	omsecor.exe	32
PID 2872 wrote to memory of 2684	2872	omsecor.exe	32
PID 2872 wrote to memory of 2684	2872	omsecor.exe	32
PID 2684 wrote to memory of 580	2684	omsecor.exe	34
PID 2684 wrote to memory of 580	2684	omsecor.exe	34
PID 2684 wrote to memory of 580	2684	omsecor.exe	34
PID 2684 wrote to memory of 580	2684	omsecor.exe	34
PID 580 wrote to memory of 2420	580	omsecor.exe	35
PID 580 wrote to memory of 2420	580	omsecor.exe	35
PID 580 wrote to memory of 2420	580	omsecor.exe	35
PID 580 wrote to memory of 2420	580	omsecor.exe	35
PID 580 wrote to memory of 2420	580	omsecor.exe	35
PID 580 wrote to memory of 2420	580	omsecor.exe	35
PID 2420 wrote to memory of 2440	2420	omsecor.exe	36
PID 2420 wrote to memory of 2440	2420	omsecor.exe	36
PID 2420 wrote to memory of 2440	2420	omsecor.exe	36
PID 2420 wrote to memory of 2440	2420	omsecor.exe	36
PID 2440 wrote to memory of 1476	2440	omsecor.exe	37
PID 2440 wrote to memory of 1476	2440	omsecor.exe	37
PID 2440 wrote to memory of 1476	2440	omsecor.exe	37
PID 2440 wrote to memory of 1476	2440	omsecor.exe	37
PID 2440 wrote to memory of 1476	2440	omsecor.exe	37
PID 2440 wrote to memory of 1476	2440	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe
"C:\Users\Admin\AppData\Local\Temp\ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe
  C:\Users\Admin\AppData\Local\Temp\ef32316ad792dee5bda8e1cf66828ace6b03acb32b13ce9c393a0821082507b4N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:580
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8f985c50c3db29ddc08d22cab3055a7a

SHA1
d54b52e0483d0803a9e8da9df39c58d0328e4205

SHA256
f732096d9e059da6ad01eef648ff90bfd01395151e6d0a4747ad9276d42784af

SHA512
087c8c4c664ff825fae0ae391cd47f221f0f8b95fa8dce9ac9c360dcd47f7df870c9b379fcfdc00b0ef67663bdc2abc195f4cfec6c44e2c05aa413296921768e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b9ccc967b9c52e5f2e54dbc72ee68618

SHA1
406985149c689745f620e0a7179cb65c123e1f43

SHA256
d9df244d84f28cba719275590aba879a918b1de9ca5c96ec19c2cfc43e07bed1

SHA512
e5ee7508e735af605c7deaaf9a8bb44827fffb90a216a8db924282821072dfd69f221be028efcc5be331625792f78fae002b9ff70cd78a8c54b67601e96ded77

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f2cd3f9a858615dbf17e1621ae4e1cac

SHA1
980022f428d06365ef269a399b09fa710ee4f3c7

SHA256
491c647ad3ea2b1fe83d2f58bd3f500548e113ac141a80faae09cdb4ff4c7dc6

SHA512
aa796efa4face592ef09e18c13a349507eacaf8cae44454f64d750e8c3530a09555a9bbd414a5b0ee90ee84be2895c5003d35a9f88a3d0627f285166ca42275c

Download Submit
memory/580-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/580-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1452-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1452-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1452-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1452-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1452-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1476-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2420-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2440-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2440-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2684-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-54-0x0000000002400000-0x0000000002423000-memory.dmp

Filesize
140KB

Download
memory/2684-53-0x0000000002400000-0x0000000002423000-memory.dmp

Filesize
140KB

Download
memory/2684-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2872-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2872-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2904-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2904-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download