neconyd | 1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe
Size

134KB
MD5

6ac7063420ff8401c6844a36b2dd9322
SHA1

1a326c3f7fb00c7a0abee0bf8c361391317005e9
SHA256

1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f
SHA512

ae8be00d29ff329d9411806a1e1117bf560f7689fca1b7506fd4e26f34d5efa65fcdf89573eabd083dcc2479c84e7ca0741e55d22a33102c9ff4bd807959353b
SSDEEP

1536:MDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCin:yiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2816	omsecor.exe
2848	omsecor.exe
1056	omsecor.exe
1516	omsecor.exe
2284	omsecor.exe
2144	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2716	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe
2716	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe
2816	omsecor.exe
2848	omsecor.exe
2848	omsecor.exe
1516	omsecor.exe
1516	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2716	2324	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe	30
PID 2816 set thread context of 2848	2816	omsecor.exe	32
PID 1056 set thread context of 1516	1056	omsecor.exe	36
PID 2284 set thread context of 2144	2284	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2716	2324	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe	30
PID 2324 wrote to memory of 2716	2324	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe	30
PID 2324 wrote to memory of 2716	2324	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe	30
PID 2324 wrote to memory of 2716	2324	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe	30
PID 2324 wrote to memory of 2716	2324	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe	30
PID 2324 wrote to memory of 2716	2324	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe	30
PID 2716 wrote to memory of 2816	2716	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe	31
PID 2716 wrote to memory of 2816	2716	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe	31
PID 2716 wrote to memory of 2816	2716	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe	31
PID 2716 wrote to memory of 2816	2716	1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe	31
PID 2816 wrote to memory of 2848	2816	omsecor.exe	32
PID 2816 wrote to memory of 2848	2816	omsecor.exe	32
PID 2816 wrote to memory of 2848	2816	omsecor.exe	32
PID 2816 wrote to memory of 2848	2816	omsecor.exe	32
PID 2816 wrote to memory of 2848	2816	omsecor.exe	32
PID 2816 wrote to memory of 2848	2816	omsecor.exe	32
PID 2848 wrote to memory of 1056	2848	omsecor.exe	35
PID 2848 wrote to memory of 1056	2848	omsecor.exe	35
PID 2848 wrote to memory of 1056	2848	omsecor.exe	35
PID 2848 wrote to memory of 1056	2848	omsecor.exe	35
PID 1056 wrote to memory of 1516	1056	omsecor.exe	36
PID 1056 wrote to memory of 1516	1056	omsecor.exe	36
PID 1056 wrote to memory of 1516	1056	omsecor.exe	36
PID 1056 wrote to memory of 1516	1056	omsecor.exe	36
PID 1056 wrote to memory of 1516	1056	omsecor.exe	36
PID 1056 wrote to memory of 1516	1056	omsecor.exe	36
PID 1516 wrote to memory of 2284	1516	omsecor.exe	37
PID 1516 wrote to memory of 2284	1516	omsecor.exe	37
PID 1516 wrote to memory of 2284	1516	omsecor.exe	37
PID 1516 wrote to memory of 2284	1516	omsecor.exe	37
PID 2284 wrote to memory of 2144	2284	omsecor.exe	38
PID 2284 wrote to memory of 2144	2284	omsecor.exe	38
PID 2284 wrote to memory of 2144	2284	omsecor.exe	38
PID 2284 wrote to memory of 2144	2284	omsecor.exe	38
PID 2284 wrote to memory of 2144	2284	omsecor.exe	38
PID 2284 wrote to memory of 2144	2284	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe
"C:\Users\Admin\AppData\Local\Temp\1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe
  C:\Users\Admin\AppData\Local\Temp\1087e81bba840ba1edf126812ec722507422ea1b3f1fb600f5e43d5b78d8709f.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
37334ab0724cc1c3ee2215a89ffb7b50

SHA1
48ade6cd6aa189d93cb25fa51c341864630c05cc

SHA256
057dc8c2c55ddccc168e2fa445980e4f98d4d3a5f669b6d35ec08e7dbfc0ca4c

SHA512
549389539f7692e582dcdf575cc536306bb5d35a1450a96052bec8911c2e4e464052921d01aa83a1112f5364ee83c1dd9334127613117084af57e4dcee752dfc

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
2df11c82c1c2b04b93ad06845cc9d9ff

SHA1
d0ec376e7b17ac833b89b50159f1949b0b54ddf8

SHA256
be88c80ff64a3aa186c0c68d3881752b72ec8a48f64f7e2695c48081d80ee106

SHA512
a315634d9dbdd7daf4520cab339741489e5b4de3fd1214e3e3c21a4aa3f9d6429924373ad7232dcf53680b466731a51d17126ba8d85ea0cb61ad81c7cfb1f6d6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
f5bf9a5cd62dc33a2846b3b637eb1c54

SHA1
6205ec0930fa380897316ee3e9d77cdcb0e9267c

SHA256
ceb6300148309b8b7dd78f6b11075f1cdd623425f5d80be32f2472b7d747a9c7

SHA512
3eecb2c0a5b46d530b965365b89391f2cf47b345c56c642d67a43ed4c420e98cf3374432b93a49028232fc387e21d6ce857e0e50145a808663b942470b664b05

Download Submit
memory/1056-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1056-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1516-67-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2144-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2284-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2284-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2324-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2324-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2716-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2816-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2848-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-44-0x0000000000530000-0x0000000000554000-memory.dmp

Filesize
144KB

Download
memory/2848-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download