neconyd | 46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609a

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
Size

96KB
MD5

5a4e24466068994c8d2993885c234630
SHA1

71ad823076f84943e7a84b18170620604c222816
SHA256

46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609a
SHA512

e63ba08d8b70e3fb81ec7556f9210600964a633a7920579fe9bbff0bca370b83b88e5abab7ee1910db82caa929787109b4138b02af9f7ff9f199e957641ce07b
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:OGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1708	omsecor.exe
2760	omsecor.exe
2944	omsecor.exe
1636	omsecor.exe
1984	omsecor.exe
3012	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2404	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
2404	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
1708	omsecor.exe
2760	omsecor.exe
2760	omsecor.exe
1636	omsecor.exe
1636	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2404	1688	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	30
PID 1708 set thread context of 2760	1708	omsecor.exe	32
PID 2944 set thread context of 1636	2944	omsecor.exe	36
PID 1984 set thread context of 3012	1984	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2404	1688	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	30
PID 1688 wrote to memory of 2404	1688	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	30
PID 1688 wrote to memory of 2404	1688	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	30
PID 1688 wrote to memory of 2404	1688	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	30
PID 1688 wrote to memory of 2404	1688	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	30
PID 1688 wrote to memory of 2404	1688	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	30
PID 2404 wrote to memory of 1708	2404	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	31
PID 2404 wrote to memory of 1708	2404	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	31
PID 2404 wrote to memory of 1708	2404	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	31
PID 2404 wrote to memory of 1708	2404	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	31
PID 1708 wrote to memory of 2760	1708	omsecor.exe	32
PID 1708 wrote to memory of 2760	1708	omsecor.exe	32
PID 1708 wrote to memory of 2760	1708	omsecor.exe	32
PID 1708 wrote to memory of 2760	1708	omsecor.exe	32
PID 1708 wrote to memory of 2760	1708	omsecor.exe	32
PID 1708 wrote to memory of 2760	1708	omsecor.exe	32
PID 2760 wrote to memory of 2944	2760	omsecor.exe	35
PID 2760 wrote to memory of 2944	2760	omsecor.exe	35
PID 2760 wrote to memory of 2944	2760	omsecor.exe	35
PID 2760 wrote to memory of 2944	2760	omsecor.exe	35
PID 2944 wrote to memory of 1636	2944	omsecor.exe	36
PID 2944 wrote to memory of 1636	2944	omsecor.exe	36
PID 2944 wrote to memory of 1636	2944	omsecor.exe	36
PID 2944 wrote to memory of 1636	2944	omsecor.exe	36
PID 2944 wrote to memory of 1636	2944	omsecor.exe	36
PID 2944 wrote to memory of 1636	2944	omsecor.exe	36
PID 1636 wrote to memory of 1984	1636	omsecor.exe	37
PID 1636 wrote to memory of 1984	1636	omsecor.exe	37
PID 1636 wrote to memory of 1984	1636	omsecor.exe	37
PID 1636 wrote to memory of 1984	1636	omsecor.exe	37
PID 1984 wrote to memory of 3012	1984	omsecor.exe	38
PID 1984 wrote to memory of 3012	1984	omsecor.exe	38
PID 1984 wrote to memory of 3012	1984	omsecor.exe	38
PID 1984 wrote to memory of 3012	1984	omsecor.exe	38
PID 1984 wrote to memory of 3012	1984	omsecor.exe	38
PID 1984 wrote to memory of 3012	1984	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
"C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
  C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5f78c8acd8d7a3c783977b7f65ed2124

SHA1
95dbbb6ce4854675e025b91adcd9a5f6866c932d

SHA256
3c3037c0182e088a172c2e7d57cea99d8d545fb7bd331ad2e35b2b11b0ead1d1

SHA512
b0d886e88c5648e08626105a298a09e5b70a3a499e8b403b0866fe34f846995eaaa5cf05959c7587fe57ae2b50c8ca3dedc83bff98cb0b28482ab23dd2f1c594

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c3d3e2342f359f954999e0b00b701899

SHA1
a1c93f518d96c5129d960e966b1422cf5c832d80

SHA256
27d43506173effb368fc037a5fbeab4e08381578f014fd56aad0a6d01f5ee556

SHA512
bb4123cb40ddf0c201516e0a599b467690a772c1adfa5b9d96d22f477cc8fe42b58023101381e77440136993a9ce8724eb42a405f54083a289f7a446b7727af5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
0a8dc95391d4fe87a48773248321f8ed

SHA1
e7d164dc450558316a5cac9b9af0b7ff4889421d

SHA256
228b01133a52cfd166deee024451c8271accd5e959646acf1d505362ddb33a99

SHA512
e52335ff54f0c02c4f96f2b986cacda5eba9307e30de84ac004ad48c5e6c02494cb4ad06652a627f6008eb25a495aa38a301c6b08e6028b4879dff2578968d79

Download Submit
memory/1636-74-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1688-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1688-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1688-1-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1708-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1708-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1984-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2404-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-22-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2404-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-55-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2760-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-53-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2760-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2944-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2944-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3012-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download