neconyd | 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe
Size

134KB
MD5

099abb3081d65799fc9b40e3df5cd1a8
SHA1

ceb4f89461297162a73acd8ffc58b56e24109d5c
SHA256

1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a
SHA512

a71ce8a1f65c9f3383d6dbc52fb9c208054bfb8cf2c0b06164325ad1764ca05cba86885a4b5f51f1c677a29966bf89626c4bda9e15e260ecd4ff12d488bb58b6
SSDEEP

1536:qDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi/:MiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2064	omsecor.exe
2728	omsecor.exe
1824	omsecor.exe
2316	omsecor.exe
1144	omsecor.exe
2968	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2608	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe
2608	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe
2064	omsecor.exe
2728	omsecor.exe
2728	omsecor.exe
2316	omsecor.exe
2316	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 2608	2092	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe	30
PID 2064 set thread context of 2728	2064	omsecor.exe	32
PID 1824 set thread context of 2316	1824	omsecor.exe	36
PID 1144 set thread context of 2968	1144	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2608	2092	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe	30
PID 2092 wrote to memory of 2608	2092	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe	30
PID 2092 wrote to memory of 2608	2092	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe	30
PID 2092 wrote to memory of 2608	2092	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe	30
PID 2092 wrote to memory of 2608	2092	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe	30
PID 2092 wrote to memory of 2608	2092	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe	30
PID 2608 wrote to memory of 2064	2608	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe	31
PID 2608 wrote to memory of 2064	2608	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe	31
PID 2608 wrote to memory of 2064	2608	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe	31
PID 2608 wrote to memory of 2064	2608	1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe	31
PID 2064 wrote to memory of 2728	2064	omsecor.exe	32
PID 2064 wrote to memory of 2728	2064	omsecor.exe	32
PID 2064 wrote to memory of 2728	2064	omsecor.exe	32
PID 2064 wrote to memory of 2728	2064	omsecor.exe	32
PID 2064 wrote to memory of 2728	2064	omsecor.exe	32
PID 2064 wrote to memory of 2728	2064	omsecor.exe	32
PID 2728 wrote to memory of 1824	2728	omsecor.exe	35
PID 2728 wrote to memory of 1824	2728	omsecor.exe	35
PID 2728 wrote to memory of 1824	2728	omsecor.exe	35
PID 2728 wrote to memory of 1824	2728	omsecor.exe	35
PID 1824 wrote to memory of 2316	1824	omsecor.exe	36
PID 1824 wrote to memory of 2316	1824	omsecor.exe	36
PID 1824 wrote to memory of 2316	1824	omsecor.exe	36
PID 1824 wrote to memory of 2316	1824	omsecor.exe	36
PID 1824 wrote to memory of 2316	1824	omsecor.exe	36
PID 1824 wrote to memory of 2316	1824	omsecor.exe	36
PID 2316 wrote to memory of 1144	2316	omsecor.exe	37
PID 2316 wrote to memory of 1144	2316	omsecor.exe	37
PID 2316 wrote to memory of 1144	2316	omsecor.exe	37
PID 2316 wrote to memory of 1144	2316	omsecor.exe	37
PID 1144 wrote to memory of 2968	1144	omsecor.exe	38
PID 1144 wrote to memory of 2968	1144	omsecor.exe	38
PID 1144 wrote to memory of 2968	1144	omsecor.exe	38
PID 1144 wrote to memory of 2968	1144	omsecor.exe	38
PID 1144 wrote to memory of 2968	1144	omsecor.exe	38
PID 1144 wrote to memory of 2968	1144	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe
"C:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe
  C:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
eba86746668f8d90837926342a64fc77

SHA1
d1cd0e6c55f25e5de3433539b613c219ac468f70

SHA256
891bb93e65898c960feb8d16067e34590b84d56da12fa24342b5d9de622deb78

SHA512
fd87b1d2894ac9b62ce73cf5f6fee593b8fffbd5ba2cf54916bd66520c2832577c4d0f8562fe1f171facb7e1091a9f768cff8be021d6fa3bd9de816a768566d9

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
8b5715f0c99ad129cea6601976a5f255

SHA1
a15a3b9cb5f699f5c39b593d46b037188890cc61

SHA256
f4f2d06af7993f824fda5d4eb8c7a13df74b71fe32ce2fc92040e5c7d31bf9c6

SHA512
215f8a6140c415da1f3ba936077afba6ffae89ba161fe26711ca83f316ee54055fb145bc28a88dbb06ac6413e76297561c038d9ff679d65bd849b2d387f692d7

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
37f673f22c5e6109f12d0fb0506e7c5d

SHA1
af75bf691ff2085ce97414a942bfc499052e44c0

SHA256
aa22fefd4efbb940a54ebc3c628d0d74f5fbb38fe2243c5f12a6bfd259fd1891

SHA512
2387bf952d2818fc6524bd16fb9a99e24edbf14d55e6f9b3fc04ebf33feb99f78b5891977c39eebf37fc2b7913c48b95ad0b2fc75bbe4afb0763eb9442362186

Download Submit
memory/1144-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1144-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1824-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1824-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2064-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2064-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-13-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2608-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2728-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2728-52-0x00000000002F0000-0x0000000000314000-memory.dmp

Filesize
144KB

Download
memory/2728-46-0x00000000002F0000-0x0000000000314000-memory.dmp

Filesize
144KB

Download
memory/2728-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2728-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2728-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2728-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download