neconyd | 63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553

Analysis

max time kernel
116s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe
Size

134KB
MD5

9bb2167d80542b7a8deb1ac220bb58cb
SHA1

58e2bf1aca2c5391074cbf46a07b57910c1c0b28
SHA256

63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553
SHA512

3bcda1bb9de8048488c48c508aa324fae574e0801b658334f863dd847ea6368782cace737d5064b8d67ee3f2ab5b7d95b6bd76b09cd001a9a1d1f5cd6447d903
SSDEEP

1536:cDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCif:CiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2632	omsecor.exe
3024	omsecor.exe
2904	omsecor.exe
2644	omsecor.exe
1340	omsecor.exe
1020	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2972	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe
2972	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe
2632	omsecor.exe
3024	omsecor.exe
3024	omsecor.exe
2644	omsecor.exe
2644	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 2972	2908	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe	30
PID 2632 set thread context of 3024	2632	omsecor.exe	32
PID 2904 set thread context of 2644	2904	omsecor.exe	36
PID 1340 set thread context of 1020	1340	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2972	2908	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe	30
PID 2908 wrote to memory of 2972	2908	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe	30
PID 2908 wrote to memory of 2972	2908	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe	30
PID 2908 wrote to memory of 2972	2908	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe	30
PID 2908 wrote to memory of 2972	2908	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe	30
PID 2908 wrote to memory of 2972	2908	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe	30
PID 2972 wrote to memory of 2632	2972	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe	31
PID 2972 wrote to memory of 2632	2972	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe	31
PID 2972 wrote to memory of 2632	2972	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe	31
PID 2972 wrote to memory of 2632	2972	63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe	31
PID 2632 wrote to memory of 3024	2632	omsecor.exe	32
PID 2632 wrote to memory of 3024	2632	omsecor.exe	32
PID 2632 wrote to memory of 3024	2632	omsecor.exe	32
PID 2632 wrote to memory of 3024	2632	omsecor.exe	32
PID 2632 wrote to memory of 3024	2632	omsecor.exe	32
PID 2632 wrote to memory of 3024	2632	omsecor.exe	32
PID 3024 wrote to memory of 2904	3024	omsecor.exe	35
PID 3024 wrote to memory of 2904	3024	omsecor.exe	35
PID 3024 wrote to memory of 2904	3024	omsecor.exe	35
PID 3024 wrote to memory of 2904	3024	omsecor.exe	35
PID 2904 wrote to memory of 2644	2904	omsecor.exe	36
PID 2904 wrote to memory of 2644	2904	omsecor.exe	36
PID 2904 wrote to memory of 2644	2904	omsecor.exe	36
PID 2904 wrote to memory of 2644	2904	omsecor.exe	36
PID 2904 wrote to memory of 2644	2904	omsecor.exe	36
PID 2904 wrote to memory of 2644	2904	omsecor.exe	36
PID 2644 wrote to memory of 1340	2644	omsecor.exe	37
PID 2644 wrote to memory of 1340	2644	omsecor.exe	37
PID 2644 wrote to memory of 1340	2644	omsecor.exe	37
PID 2644 wrote to memory of 1340	2644	omsecor.exe	37
PID 1340 wrote to memory of 1020	1340	omsecor.exe	38
PID 1340 wrote to memory of 1020	1340	omsecor.exe	38
PID 1340 wrote to memory of 1020	1340	omsecor.exe	38
PID 1340 wrote to memory of 1020	1340	omsecor.exe	38
PID 1340 wrote to memory of 1020	1340	omsecor.exe	38
PID 1340 wrote to memory of 1020	1340	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe
"C:\Users\Admin\AppData\Local\Temp\63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe
  C:\Users\Admin\AppData\Local\Temp\63440946f61f4733abc98e668831f1197d29e3d380bd942e3b4942a943984553.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
a1123926803b37000fd3ed1e3c4fd715

SHA1
ba2d575e9bf74d74f0c51ba7ddaf9a604c38e212

SHA256
1f71a9ffc06dc1e2eaea59a8b0f90b0cb51bcaa573b7797fd478a7ac2a46bca2

SHA512
0942ef06510ffcaf99869d250b5c90bdc7b9b3dd9337ba96fa894e1a11f5e35b82ba5da2dafa210e25658ba1658ad62e2b23d00dd491ce5bdae0530a0596a5c5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e0c354d681e1ccb618adb9e643dfe5dc

SHA1
205b28ef23ad445588dd9ff4b689f49c8b171656

SHA256
3c8a06fe93e64de40fe688d7b7afb162e67c7a738e1221451f45581905d9ed4d

SHA512
0f228eb088f58cc337f0871d5b6cfeb7faa33b72c8a5013349e1a01cfffb272a76359d3ffa9a73698cc21db68656b1fdf9ece59454e0cef7ed0bc322b2cd7c20

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
b0185fe456c3d29d3d27372d8236a8ca

SHA1
4d5b1386b276f2fccada39132b6089a214585888

SHA256
b35152b9cc1ab472754e4c8d4217c998df5e57dec03d1849c500e0ef40fd5a33

SHA512
c40d482dbbecafad3c231ba15f7a456b2578296574bd8ce1b9eda20f27cea15b08597a4f1364563f42f24a44c4111edb17129c8919f5b5f0b358a42349e7577c

Download Submit
memory/1020-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1340-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2632-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2632-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-85-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2644-69-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2904-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2904-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2908-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2908-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2972-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2972-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3024-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3024-50-0x00000000004A0000-0x00000000004C4000-memory.dmp

Filesize
144KB

Download
memory/3024-51-0x00000000004A0000-0x00000000004C4000-memory.dmp

Filesize
144KB

Download
memory/3024-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3024-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3024-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3024-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download