neconyd | 12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8

Analysis

max time kernel
115s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
Size

134KB
MD5

d9b1315c3de54f41e9f25a5070f6c6ca
SHA1

aa709b47beb38f301683cc96eb881df5ea5f4711
SHA256

12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8
SHA512

37cde91b5389a9916223b6695902316010d198ed5a8c32fe70e3a44eb95696669bbcc7b2f8f253dd3e2769a7cf71f67786771153ba99652599a378ce41af02c3
SSDEEP

1536:sDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCit:SiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1800	omsecor.exe
2504	omsecor.exe
1380	omsecor.exe
1116	omsecor.exe
1656	omsecor.exe
1360	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2368	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
2368	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
1800	omsecor.exe
2504	omsecor.exe
2504	omsecor.exe
1116	omsecor.exe
1116	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 2368	1620	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	30
PID 1800 set thread context of 2504	1800	omsecor.exe	32
PID 1380 set thread context of 1116	1380	omsecor.exe	36
PID 1656 set thread context of 1360	1656	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2368	1620	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	30
PID 1620 wrote to memory of 2368	1620	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	30
PID 1620 wrote to memory of 2368	1620	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	30
PID 1620 wrote to memory of 2368	1620	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	30
PID 1620 wrote to memory of 2368	1620	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	30
PID 1620 wrote to memory of 2368	1620	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	30
PID 2368 wrote to memory of 1800	2368	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	31
PID 2368 wrote to memory of 1800	2368	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	31
PID 2368 wrote to memory of 1800	2368	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	31
PID 2368 wrote to memory of 1800	2368	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	31
PID 1800 wrote to memory of 2504	1800	omsecor.exe	32
PID 1800 wrote to memory of 2504	1800	omsecor.exe	32
PID 1800 wrote to memory of 2504	1800	omsecor.exe	32
PID 1800 wrote to memory of 2504	1800	omsecor.exe	32
PID 1800 wrote to memory of 2504	1800	omsecor.exe	32
PID 1800 wrote to memory of 2504	1800	omsecor.exe	32
PID 2504 wrote to memory of 1380	2504	omsecor.exe	35
PID 2504 wrote to memory of 1380	2504	omsecor.exe	35
PID 2504 wrote to memory of 1380	2504	omsecor.exe	35
PID 2504 wrote to memory of 1380	2504	omsecor.exe	35
PID 1380 wrote to memory of 1116	1380	omsecor.exe	36
PID 1380 wrote to memory of 1116	1380	omsecor.exe	36
PID 1380 wrote to memory of 1116	1380	omsecor.exe	36
PID 1380 wrote to memory of 1116	1380	omsecor.exe	36
PID 1380 wrote to memory of 1116	1380	omsecor.exe	36
PID 1380 wrote to memory of 1116	1380	omsecor.exe	36
PID 1116 wrote to memory of 1656	1116	omsecor.exe	37
PID 1116 wrote to memory of 1656	1116	omsecor.exe	37
PID 1116 wrote to memory of 1656	1116	omsecor.exe	37
PID 1116 wrote to memory of 1656	1116	omsecor.exe	37
PID 1656 wrote to memory of 1360	1656	omsecor.exe	38
PID 1656 wrote to memory of 1360	1656	omsecor.exe	38
PID 1656 wrote to memory of 1360	1656	omsecor.exe	38
PID 1656 wrote to memory of 1360	1656	omsecor.exe	38
PID 1656 wrote to memory of 1360	1656	omsecor.exe	38
PID 1656 wrote to memory of 1360	1656	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
"C:\Users\Admin\AppData\Local\Temp\12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
  C:\Users\Admin\AppData\Local\Temp\12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
843a4a709342aabf50216665dcc48531

SHA1
4f2dc8ca38eef1e1f309ec8c037bf0ddfaac9a37

SHA256
b329d34342edd452172d9300ee6463f301f42595fbfd7c0238709021742ebec5

SHA512
ef08977959cfe10a51c2db3492d66373eb3fd264c61629f2e4912e0ebef56f6b0e0c46e1b60e71333c0a2a5fadcf1589924b97440fe8c43fab9c3bb944beb2cf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
98d0806c2790cd7c355df3602663c7c2

SHA1
a10a90612e3281534158cfb16758e75a34e1c422

SHA256
59e0c324e0f2dc8be5879ce69807b13cbed93986e63e0fbb07e7de970d0c1ff3

SHA512
76459f4cceafdbc26035ed959a9661bb8268a294893bc4a80eee65533d154acc4bb33e6ca7255eb87c186904d23711f0112e5a3893694204494c40da3f3fc218

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
a81ebee1ce72854928ef6b462dcd785e

SHA1
b8e960cad15319b279f3d82517d6265e70bf538a

SHA256
132e827a347df58d580a1ef9a88c1fb8349cc64724336348c1db76f54b0bdd37

SHA512
f5ea8ffd4271f6d3731d10b5bf0f221a26a4f213e762430570d4ad6fa3600cc22518879016b02307d49f1fbc6b642ac5678ad686e862f11cb3e380847422bbf2

Download Submit
memory/1360-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1380-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1380-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1620-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1620-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1800-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1800-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2368-20-0x0000000000270000-0x0000000000294000-memory.dmp

Filesize
144KB

Download
memory/2368-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2368-18-0x0000000000270000-0x0000000000294000-memory.dmp

Filesize
144KB

Download
memory/2504-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-47-0x00000000002D0000-0x00000000002F4000-memory.dmp

Filesize
144KB

Download
memory/2504-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download