neconyd | 0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430be

Analysis

max time kernel
116s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe
Size

96KB
MD5

b9173234f4b162cbf72c6f313eb81810
SHA1

656b03c93268845cec34e5eeb82076163a166673
SHA256

0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430be
SHA512

858e49e6cf15c7675f620a2fd2d54bc84f33d635de8569fa9af810e7a2169c393a88e9a1548b285a118b269c7752214c6bc0411193797271b8badcb2d81390b0
SSDEEP

1536:MnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:MGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1620	omsecor.exe
2036	omsecor.exe
1948	omsecor.exe
924	omsecor.exe
2100	omsecor.exe
2024	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2340	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe
2340	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe
1620	omsecor.exe
2036	omsecor.exe
2036	omsecor.exe
924	omsecor.exe
924	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 524 set thread context of 2340	524	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe	31
PID 1620 set thread context of 2036	1620	omsecor.exe	33
PID 1948 set thread context of 924	1948	omsecor.exe	36
PID 2100 set thread context of 2024	2100	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 2340	524	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe	31
PID 524 wrote to memory of 2340	524	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe	31
PID 524 wrote to memory of 2340	524	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe	31
PID 524 wrote to memory of 2340	524	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe	31
PID 524 wrote to memory of 2340	524	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe	31
PID 524 wrote to memory of 2340	524	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe	31
PID 2340 wrote to memory of 1620	2340	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe	32
PID 2340 wrote to memory of 1620	2340	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe	32
PID 2340 wrote to memory of 1620	2340	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe	32
PID 2340 wrote to memory of 1620	2340	0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe	32
PID 1620 wrote to memory of 2036	1620	omsecor.exe	33
PID 1620 wrote to memory of 2036	1620	omsecor.exe	33
PID 1620 wrote to memory of 2036	1620	omsecor.exe	33
PID 1620 wrote to memory of 2036	1620	omsecor.exe	33
PID 1620 wrote to memory of 2036	1620	omsecor.exe	33
PID 1620 wrote to memory of 2036	1620	omsecor.exe	33
PID 2036 wrote to memory of 1948	2036	omsecor.exe	35
PID 2036 wrote to memory of 1948	2036	omsecor.exe	35
PID 2036 wrote to memory of 1948	2036	omsecor.exe	35
PID 2036 wrote to memory of 1948	2036	omsecor.exe	35
PID 1948 wrote to memory of 924	1948	omsecor.exe	36
PID 1948 wrote to memory of 924	1948	omsecor.exe	36
PID 1948 wrote to memory of 924	1948	omsecor.exe	36
PID 1948 wrote to memory of 924	1948	omsecor.exe	36
PID 1948 wrote to memory of 924	1948	omsecor.exe	36
PID 1948 wrote to memory of 924	1948	omsecor.exe	36
PID 924 wrote to memory of 2100	924	omsecor.exe	37
PID 924 wrote to memory of 2100	924	omsecor.exe	37
PID 924 wrote to memory of 2100	924	omsecor.exe	37
PID 924 wrote to memory of 2100	924	omsecor.exe	37
PID 2100 wrote to memory of 2024	2100	omsecor.exe	38
PID 2100 wrote to memory of 2024	2100	omsecor.exe	38
PID 2100 wrote to memory of 2024	2100	omsecor.exe	38
PID 2100 wrote to memory of 2024	2100	omsecor.exe	38
PID 2100 wrote to memory of 2024	2100	omsecor.exe	38
PID 2100 wrote to memory of 2024	2100	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe
"C:\Users\Admin\AppData\Local\Temp\0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe
  C:\Users\Admin\AppData\Local\Temp\0caa9c5b37c8bfa49576d4e3e9d739650f9f79b51519bb9840462bcb142430beN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3c92b3476c9e9d161417b888686c1300

SHA1
d245dc0c6f2ca4053ec01f942546f5b7f30ca1e9

SHA256
fca75f65d917071448bcba065c182e59f4f4c618bb8f74aa09114b9998960d47

SHA512
5aff3e9b26d83c085e6e5870e0b5b41e2c53998c7344eacc5c83426b81ce3b3611c40a9db7e2f9b377bbb38fab4674f9ec391dc4484eaa4dbb6b792de1aa9c98

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
69351c9421ffebe67afd12a98d02a399

SHA1
68297d35913e817354aee4149141a373419afbd2

SHA256
d2e802b3dbe2dd1ba15a17ee0667eee9007e9b42020eae8071b7a402235067d0

SHA512
da6ea7c4848b7552b77a32d9e61c976ad185c45dfcb3c50d545232c3724bc79be42aa9f18509e23bb1016a5c92aa96ec9805aa59fb20ae72ff0517507e3432d5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
1f3ff68f2c8353388eed0067bf9a8477

SHA1
cb43a4628921121b8461b31926c86b88f38c5495

SHA256
6901c4d2a70ac60a994eda27144dd95ca06f662374f4a9f1a2b489f700920f8c

SHA512
d59edba2070d4b8cd1aae1f6903b630137e82a43ae38a23fee7c06da507cc1374b7b60f3563c34d7dba7ede17e70bbb8d5d0b49272a5aa7545b03e5864a1c15a

Download Submit
memory/524-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/524-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1620-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1620-24-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/1620-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1948-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1948-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2024-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-55-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2036-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-47-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2036-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2100-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2100-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2340-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2340-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download