neconyd | 879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
Size

134KB
MD5

36c4d2f645f9db603d475063924eb670
SHA1

5629b4c78b8cdb44c74e8ea403554bd01168b8e6
SHA256

879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5d
SHA512

ba678c8acea7d20906096ac197d5b6475e9d4bb1d8a1de0c369970ea8bb38f194787d5b4d866c67135ca200c2a808159616070a2ac7f0e7a75233958d27e2c68
SSDEEP

1536:sDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCid:SiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1680	omsecor.exe
3064	omsecor.exe
2968	omsecor.exe
2196	omsecor.exe
1860	omsecor.exe
2116	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1784	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
1784	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
1680	omsecor.exe
3064	omsecor.exe
3064	omsecor.exe
2196	omsecor.exe
2196	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1904 set thread context of 1784	1904	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	30
PID 1680 set thread context of 3064	1680	omsecor.exe	32
PID 2968 set thread context of 2196	2968	omsecor.exe	36
PID 1860 set thread context of 2116	1860	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1784	1904	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	30
PID 1904 wrote to memory of 1784	1904	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	30
PID 1904 wrote to memory of 1784	1904	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	30
PID 1904 wrote to memory of 1784	1904	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	30
PID 1904 wrote to memory of 1784	1904	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	30
PID 1904 wrote to memory of 1784	1904	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	30
PID 1784 wrote to memory of 1680	1784	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	31
PID 1784 wrote to memory of 1680	1784	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	31
PID 1784 wrote to memory of 1680	1784	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	31
PID 1784 wrote to memory of 1680	1784	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	31
PID 1680 wrote to memory of 3064	1680	omsecor.exe	32
PID 1680 wrote to memory of 3064	1680	omsecor.exe	32
PID 1680 wrote to memory of 3064	1680	omsecor.exe	32
PID 1680 wrote to memory of 3064	1680	omsecor.exe	32
PID 1680 wrote to memory of 3064	1680	omsecor.exe	32
PID 1680 wrote to memory of 3064	1680	omsecor.exe	32
PID 3064 wrote to memory of 2968	3064	omsecor.exe	35
PID 3064 wrote to memory of 2968	3064	omsecor.exe	35
PID 3064 wrote to memory of 2968	3064	omsecor.exe	35
PID 3064 wrote to memory of 2968	3064	omsecor.exe	35
PID 2968 wrote to memory of 2196	2968	omsecor.exe	36
PID 2968 wrote to memory of 2196	2968	omsecor.exe	36
PID 2968 wrote to memory of 2196	2968	omsecor.exe	36
PID 2968 wrote to memory of 2196	2968	omsecor.exe	36
PID 2968 wrote to memory of 2196	2968	omsecor.exe	36
PID 2968 wrote to memory of 2196	2968	omsecor.exe	36
PID 2196 wrote to memory of 1860	2196	omsecor.exe	37
PID 2196 wrote to memory of 1860	2196	omsecor.exe	37
PID 2196 wrote to memory of 1860	2196	omsecor.exe	37
PID 2196 wrote to memory of 1860	2196	omsecor.exe	37
PID 1860 wrote to memory of 2116	1860	omsecor.exe	38
PID 1860 wrote to memory of 2116	1860	omsecor.exe	38
PID 1860 wrote to memory of 2116	1860	omsecor.exe	38
PID 1860 wrote to memory of 2116	1860	omsecor.exe	38
PID 1860 wrote to memory of 2116	1860	omsecor.exe	38
PID 1860 wrote to memory of 2116	1860	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
"C:\Users\Admin\AppData\Local\Temp\879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
  C:\Users\Admin\AppData\Local\Temp\879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f4be90352975039dc08cb4cfff1ab390

SHA1
e9e7d4d0d1f8da90d7748a18b21a6d2a579d9f2b

SHA256
a20d8d15be6fd148f7481b57a9bcb9ee877eca2d85be64394e149d4e39769203

SHA512
5bb9afc5872978bcfbdecf0997e54d1b8a091e3941e83a59164d4124d7c7ee48b68ac3814eb336c5226761f35965ecf413ec0d51a6d8a2c173c297b3db85fc2f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
237ebd15c1275362cce5aff75c69ceee

SHA1
761b9d5db6a75a4357dcdb9c94123994b2e57b41

SHA256
e5849be6141e9184ed52e98962ded107bb2d836e9d345a192e10e9448bb806fb

SHA512
1dd00cd212e4f6f9c9b870adff395d64c3936bebb0bf7a49f108a545f15d19c879a038901519b46dac5f84b6960f4928bb953b6d9780d87ba6c2ab3e178621a7

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
6049c174eb7c63412d46e80ccc0b0113

SHA1
d1545411d803197c1946196266e205b1d5dfa9ae

SHA256
7502ca24a6647d5e6f4cff524b2dd5527dd67a69279664036b8797e8d94479ab

SHA512
5b93f8a7dcc5650f5885cb754f9868b3fedd4445010676ca87a8f838cebd69dc4d727a7d8e69c61947793858144ecd34fee19146903311eb1d2878e71412319c

Download Submit
memory/1680-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1680-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1784-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1784-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1860-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1904-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1904-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2116-84-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2196-67-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2968-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3064-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-45-0x00000000004A0000-0x00000000004C4000-memory.dmp

Filesize
144KB

Download
memory/3064-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download