neconyd | 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706ab

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/02/2025, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
Size

96KB
MD5

b55545b8ebbe3b5559e4615778d5a610
SHA1

4cad156ecebb8a3a88947778e279386b68685260
SHA256

09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706ab
SHA512

28def2b2454383345a82949d9f00d9787036c4ad3ab64d82d7e86c588383e348be7e36d850148bda0c97bf6a3b7d00e530edcbb35c22db14813cf8ad9e0f04e3
SSDEEP

1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:UGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2756	omsecor.exe
2200	omsecor.exe
2888	omsecor.exe
1668	omsecor.exe
264	omsecor.exe
2144	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2848	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
2848	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
2756	omsecor.exe
2200	omsecor.exe
2200	omsecor.exe
1668	omsecor.exe
1668	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 2848	2776	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	30
PID 2756 set thread context of 2200	2756	omsecor.exe	32
PID 2888 set thread context of 1668	2888	omsecor.exe	35
PID 264 set thread context of 2144	264	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2848	2776	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	30
PID 2776 wrote to memory of 2848	2776	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	30
PID 2776 wrote to memory of 2848	2776	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	30
PID 2776 wrote to memory of 2848	2776	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	30
PID 2776 wrote to memory of 2848	2776	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	30
PID 2776 wrote to memory of 2848	2776	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	30
PID 2848 wrote to memory of 2756	2848	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	31
PID 2848 wrote to memory of 2756	2848	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	31
PID 2848 wrote to memory of 2756	2848	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	31
PID 2848 wrote to memory of 2756	2848	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	31
PID 2756 wrote to memory of 2200	2756	omsecor.exe	32
PID 2756 wrote to memory of 2200	2756	omsecor.exe	32
PID 2756 wrote to memory of 2200	2756	omsecor.exe	32
PID 2756 wrote to memory of 2200	2756	omsecor.exe	32
PID 2756 wrote to memory of 2200	2756	omsecor.exe	32
PID 2756 wrote to memory of 2200	2756	omsecor.exe	32
PID 2200 wrote to memory of 2888	2200	omsecor.exe	34
PID 2200 wrote to memory of 2888	2200	omsecor.exe	34
PID 2200 wrote to memory of 2888	2200	omsecor.exe	34
PID 2200 wrote to memory of 2888	2200	omsecor.exe	34
PID 2888 wrote to memory of 1668	2888	omsecor.exe	35
PID 2888 wrote to memory of 1668	2888	omsecor.exe	35
PID 2888 wrote to memory of 1668	2888	omsecor.exe	35
PID 2888 wrote to memory of 1668	2888	omsecor.exe	35
PID 2888 wrote to memory of 1668	2888	omsecor.exe	35
PID 2888 wrote to memory of 1668	2888	omsecor.exe	35
PID 1668 wrote to memory of 264	1668	omsecor.exe	36
PID 1668 wrote to memory of 264	1668	omsecor.exe	36
PID 1668 wrote to memory of 264	1668	omsecor.exe	36
PID 1668 wrote to memory of 264	1668	omsecor.exe	36
PID 264 wrote to memory of 2144	264	omsecor.exe	37
PID 264 wrote to memory of 2144	264	omsecor.exe	37
PID 264 wrote to memory of 2144	264	omsecor.exe	37
PID 264 wrote to memory of 2144	264	omsecor.exe	37
PID 264 wrote to memory of 2144	264	omsecor.exe	37
PID 264 wrote to memory of 2144	264	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
"C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
  C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7030d0b66162cb56c85d320713f21874

SHA1
6450544f289d3656f5e36480050b255577acc79d

SHA256
ba23dba9f23b6d003f585605ff70f41f8110d7501c870e8f8da0a4b31032b9d1

SHA512
0d36183a218e7fbf54b1f58023fc4eaf1e1379bbd59ea8daf138b23ee4805b2533f11b93359daab0ce5e7a3d9dca3361cf0e158030f44509cd3e07f3af07dbd6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5570a9ec5908ebacce84c613610de7ff

SHA1
a89347b97a8a117caf864ef0247a4cae193f5da2

SHA256
fef657d00819dc749a1b7085a810f13d93baf34db63bd4804ec9122aed3321cb

SHA512
f9580b0cb9f6c6fd35da20fbd834b26ca0a8b515df68375f36bfb80b2e7985521b2f587e7899c06f298973f388f876b8955ef68bc8a12e10d073779d2df85504

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
995ad09a63256674255e547431393b42

SHA1
ca435ce0974965843024b22d128d150cd09be5b9

SHA256
6b5a95a05c066d267b3946b3137d5d8dc1d8c7059084166ca4be288e2918040d

SHA512
4f3222919a3e279b213c92439724a68ebeeb6ed292f7ec15bc55ad97178f9924176e4823094d5283ae03ca3db6585422ea57f84bfd83a24161ae63823d148ec4

Download Submit
memory/264-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1668-77-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1668-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2144-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2200-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2200-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2200-91-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2200-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2200-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2200-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2200-56-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2756-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2756-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2756-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2776-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2776-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2848-13-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2848-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2848-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2888-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2888-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download