neconyd | 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
Size

134KB
MD5

17abba9b7903c73f47d031d6a7ca2973
SHA1

054397fba61cb951cb8cac20adada39cf4c0d3f6
SHA256

00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4
SHA512

c4513e79cd8b9f162245348e410120dbdb725f71d2971d0a645ad0fc93b132f1211a3e8ae4f5bff52c7a8cead5f94af4cd8abc0a120770a081fab31a30400e28
SSDEEP

1536:FDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiX:liRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2288	omsecor.exe
1260	omsecor.exe
2924	omsecor.exe
2948	omsecor.exe
1724	omsecor.exe
2960	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
772	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
772	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
2288	omsecor.exe
1260	omsecor.exe
1260	omsecor.exe
2948	omsecor.exe
2948	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 352 set thread context of 772	352	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	30
PID 2288 set thread context of 1260	2288	omsecor.exe	32
PID 2924 set thread context of 2948	2924	omsecor.exe	36
PID 1724 set thread context of 2960	1724	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 772	352	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	30
PID 352 wrote to memory of 772	352	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	30
PID 352 wrote to memory of 772	352	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	30
PID 352 wrote to memory of 772	352	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	30
PID 352 wrote to memory of 772	352	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	30
PID 352 wrote to memory of 772	352	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	30
PID 772 wrote to memory of 2288	772	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	31
PID 772 wrote to memory of 2288	772	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	31
PID 772 wrote to memory of 2288	772	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	31
PID 772 wrote to memory of 2288	772	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	31
PID 2288 wrote to memory of 1260	2288	omsecor.exe	32
PID 2288 wrote to memory of 1260	2288	omsecor.exe	32
PID 2288 wrote to memory of 1260	2288	omsecor.exe	32
PID 2288 wrote to memory of 1260	2288	omsecor.exe	32
PID 2288 wrote to memory of 1260	2288	omsecor.exe	32
PID 2288 wrote to memory of 1260	2288	omsecor.exe	32
PID 1260 wrote to memory of 2924	1260	omsecor.exe	35
PID 1260 wrote to memory of 2924	1260	omsecor.exe	35
PID 1260 wrote to memory of 2924	1260	omsecor.exe	35
PID 1260 wrote to memory of 2924	1260	omsecor.exe	35
PID 2924 wrote to memory of 2948	2924	omsecor.exe	36
PID 2924 wrote to memory of 2948	2924	omsecor.exe	36
PID 2924 wrote to memory of 2948	2924	omsecor.exe	36
PID 2924 wrote to memory of 2948	2924	omsecor.exe	36
PID 2924 wrote to memory of 2948	2924	omsecor.exe	36
PID 2924 wrote to memory of 2948	2924	omsecor.exe	36
PID 2948 wrote to memory of 1724	2948	omsecor.exe	37
PID 2948 wrote to memory of 1724	2948	omsecor.exe	37
PID 2948 wrote to memory of 1724	2948	omsecor.exe	37
PID 2948 wrote to memory of 1724	2948	omsecor.exe	37
PID 1724 wrote to memory of 2960	1724	omsecor.exe	38
PID 1724 wrote to memory of 2960	1724	omsecor.exe	38
PID 1724 wrote to memory of 2960	1724	omsecor.exe	38
PID 1724 wrote to memory of 2960	1724	omsecor.exe	38
PID 1724 wrote to memory of 2960	1724	omsecor.exe	38
PID 1724 wrote to memory of 2960	1724	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
"C:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:352
- C:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
  C:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f12dbc220a90f9e2d2ad8303e5ecdf8f

SHA1
080e72badfb81e725ac3e52a56631f35b7f19505

SHA256
033c2a7eaf3e01e3a5cfdb858472fae641a5c0467b5573e31228a54484d2ad3f

SHA512
932fbb6ad2a17125f8566ac4e9ab9f7fa4aea9e8d5805b73232272f8608604f7d9ddbb22d1c18b717868242da6fe4908218d7b039c4eeeaefeea14a63d85bd8e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
ab096ccb21270e3ab2616e7583508409

SHA1
baee669b1227476478d05774b34cc210594b0296

SHA256
e9de6a136e07e6b60dc788c30b38190af4c89ba91acf0d3ad7475fa9cc19a601

SHA512
95eb5e098129cc9677355aee93627e1e86cdda03dc6348fb9d31ffcda861370df79fdc7ec98c31f4d9b22f0e008f00dd3069c28cc934adba3cc221103e91a115

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
0b355681032323f769a472ca07ff49a1

SHA1
cb16d0440e9d2e93d461087a20bebd4d498314ba

SHA256
2d1f24a78307d2bd11d49f3a813abc5b75578c8e77ddd75009d12c33c179af7a

SHA512
3ab317e9251c5fce71ca2fb3d889c06712bce53193a5814dab2c020339af05c5ae378dd168715d9c46beb7a89913d62a1786375c1b5144f809985cfaa1848b57

Download Submit
memory/352-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/352-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/352-32-0x0000000000430000-0x0000000000454000-memory.dmp

Filesize
144KB

Download
memory/772-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/772-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1260-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1260-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1260-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1260-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1260-46-0x0000000001F90000-0x0000000001FB4000-memory.dmp

Filesize
144KB

Download
memory/1260-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1724-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1724-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2288-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2288-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2924-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2924-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2948-76-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/2948-75-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/2960-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download