neconyd | 982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
Size

96KB
MD5

cef45c2409259699135727cbc94aa750
SHA1

adc57545b66c43b1e59b93c72bae959f7e0b294b
SHA256

982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50
SHA512

b0ed6de2c83ac623ccd22c7c2e63fd93d77ee5a997b4bd11170d68cb411edb680b0110b13c0b28e9b7ef5c50f91c77f2b4550732e174cc2a81a2e7f48e917bc9
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:OGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2216	omsecor.exe
2416	omsecor.exe
1920	omsecor.exe
1604	omsecor.exe
2168	omsecor.exe
572	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2992	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
2992	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
2216	omsecor.exe
2416	omsecor.exe
2416	omsecor.exe
1604	omsecor.exe
1604	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 2992	2972	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	31
PID 2216 set thread context of 2416	2216	omsecor.exe	33
PID 1920 set thread context of 1604	1920	omsecor.exe	36
PID 2168 set thread context of 572	2168	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2992	2972	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	31
PID 2972 wrote to memory of 2992	2972	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	31
PID 2972 wrote to memory of 2992	2972	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	31
PID 2972 wrote to memory of 2992	2972	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	31
PID 2972 wrote to memory of 2992	2972	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	31
PID 2972 wrote to memory of 2992	2972	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	31
PID 2992 wrote to memory of 2216	2992	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	32
PID 2992 wrote to memory of 2216	2992	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	32
PID 2992 wrote to memory of 2216	2992	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	32
PID 2992 wrote to memory of 2216	2992	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	32
PID 2216 wrote to memory of 2416	2216	omsecor.exe	33
PID 2216 wrote to memory of 2416	2216	omsecor.exe	33
PID 2216 wrote to memory of 2416	2216	omsecor.exe	33
PID 2216 wrote to memory of 2416	2216	omsecor.exe	33
PID 2216 wrote to memory of 2416	2216	omsecor.exe	33
PID 2216 wrote to memory of 2416	2216	omsecor.exe	33
PID 2416 wrote to memory of 1920	2416	omsecor.exe	35
PID 2416 wrote to memory of 1920	2416	omsecor.exe	35
PID 2416 wrote to memory of 1920	2416	omsecor.exe	35
PID 2416 wrote to memory of 1920	2416	omsecor.exe	35
PID 1920 wrote to memory of 1604	1920	omsecor.exe	36
PID 1920 wrote to memory of 1604	1920	omsecor.exe	36
PID 1920 wrote to memory of 1604	1920	omsecor.exe	36
PID 1920 wrote to memory of 1604	1920	omsecor.exe	36
PID 1920 wrote to memory of 1604	1920	omsecor.exe	36
PID 1920 wrote to memory of 1604	1920	omsecor.exe	36
PID 1604 wrote to memory of 2168	1604	omsecor.exe	37
PID 1604 wrote to memory of 2168	1604	omsecor.exe	37
PID 1604 wrote to memory of 2168	1604	omsecor.exe	37
PID 1604 wrote to memory of 2168	1604	omsecor.exe	37
PID 2168 wrote to memory of 572	2168	omsecor.exe	38
PID 2168 wrote to memory of 572	2168	omsecor.exe	38
PID 2168 wrote to memory of 572	2168	omsecor.exe	38
PID 2168 wrote to memory of 572	2168	omsecor.exe	38
PID 2168 wrote to memory of 572	2168	omsecor.exe	38
PID 2168 wrote to memory of 572	2168	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
"C:\Users\Admin\AppData\Local\Temp\982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
  C:\Users\Admin\AppData\Local\Temp\982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
416727115761e477e5d79141639157ac

SHA1
0198be0a052d0b3a9f90bdf6a88b41ed98d86db5

SHA256
7c79293172e5f3165c2ee3e5396e2d0d60dc4ce2d506f8ebeba8a26b747775a5

SHA512
e2f0a7d1aef55f1d472e46dbdb6579e004d0d4cc504f218de172f163e2c3fc3078636a535f9c4cab5c3e85b1737bde8bb081bd8bf66f68bcd2d6a3eaf9e18ab6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d554e42393f7b399de26cf2aeedff609

SHA1
b7ee14dc7d2f27dfa97bedcedc2b1c672e86683c

SHA256
afb1bf0c92b1519aeca33ecbce55dbfe14341dd74ffbeb4596042e1cd995dbf0

SHA512
d867507db6be771511315258065c4efc0c775ae1f244c941c27f38111d12b78a930abccc4c99b6d476e8ed32040526e12a867d95462a8608c5f03150e845f219

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
65848f6a88b3168314a891a19ab198f4

SHA1
be28695bc82707738cbbd8c70e48932a3c0cc15b

SHA256
d8e6b983d2905a9c25061b9dea2a502997b5c52c145d7cba3ccdeb0a8547a440

SHA512
f2f2b830ca0f2831c19b52119f99d642f260826110b85bf191ace692c86a5be3f4c7b4e6c40c5c4b0ce251996f3761f56120aeca58dcddb3175a99d5926447c2

Download Submit
memory/572-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-77-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1604-79-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1920-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2168-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2168-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2216-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2216-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2216-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2416-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-48-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2416-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2972-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2972-8-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2992-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download