neconyd | 4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
Size

96KB
MD5

723b432ff0012815d934e96ac5aa1160
SHA1

9cd5f7e42aa96445e3919cc95d2dbe917624955b
SHA256

4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62
SHA512

537f668f04c4e696df8e5608d6156b5b6f2ec595b89b34df394d60943c49c6291bf2a03c39c9f8e965a7c0a4ac6cb7f18d817df0fd4b3af3657a5dc1222c7507
SSDEEP

1536:TnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:TGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1368	omsecor.exe
2096	omsecor.exe
1396	omsecor.exe
1928	omsecor.exe
1496	omsecor.exe
3020	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2992	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
2992	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
1368	omsecor.exe
2096	omsecor.exe
2096	omsecor.exe
1928	omsecor.exe
1928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 2992	2900	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	30
PID 1368 set thread context of 2096	1368	omsecor.exe	32
PID 1396 set thread context of 1928	1396	omsecor.exe	36
PID 1496 set thread context of 3020	1496	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2992	2900	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	30
PID 2900 wrote to memory of 2992	2900	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	30
PID 2900 wrote to memory of 2992	2900	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	30
PID 2900 wrote to memory of 2992	2900	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	30
PID 2900 wrote to memory of 2992	2900	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	30
PID 2900 wrote to memory of 2992	2900	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	30
PID 2992 wrote to memory of 1368	2992	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	31
PID 2992 wrote to memory of 1368	2992	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	31
PID 2992 wrote to memory of 1368	2992	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	31
PID 2992 wrote to memory of 1368	2992	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	31
PID 1368 wrote to memory of 2096	1368	omsecor.exe	32
PID 1368 wrote to memory of 2096	1368	omsecor.exe	32
PID 1368 wrote to memory of 2096	1368	omsecor.exe	32
PID 1368 wrote to memory of 2096	1368	omsecor.exe	32
PID 1368 wrote to memory of 2096	1368	omsecor.exe	32
PID 1368 wrote to memory of 2096	1368	omsecor.exe	32
PID 2096 wrote to memory of 1396	2096	omsecor.exe	35
PID 2096 wrote to memory of 1396	2096	omsecor.exe	35
PID 2096 wrote to memory of 1396	2096	omsecor.exe	35
PID 2096 wrote to memory of 1396	2096	omsecor.exe	35
PID 1396 wrote to memory of 1928	1396	omsecor.exe	36
PID 1396 wrote to memory of 1928	1396	omsecor.exe	36
PID 1396 wrote to memory of 1928	1396	omsecor.exe	36
PID 1396 wrote to memory of 1928	1396	omsecor.exe	36
PID 1396 wrote to memory of 1928	1396	omsecor.exe	36
PID 1396 wrote to memory of 1928	1396	omsecor.exe	36
PID 1928 wrote to memory of 1496	1928	omsecor.exe	37
PID 1928 wrote to memory of 1496	1928	omsecor.exe	37
PID 1928 wrote to memory of 1496	1928	omsecor.exe	37
PID 1928 wrote to memory of 1496	1928	omsecor.exe	37
PID 1496 wrote to memory of 3020	1496	omsecor.exe	38
PID 1496 wrote to memory of 3020	1496	omsecor.exe	38
PID 1496 wrote to memory of 3020	1496	omsecor.exe	38
PID 1496 wrote to memory of 3020	1496	omsecor.exe	38
PID 1496 wrote to memory of 3020	1496	omsecor.exe	38
PID 1496 wrote to memory of 3020	1496	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
"C:\Users\Admin\AppData\Local\Temp\4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
  C:\Users\Admin\AppData\Local\Temp\4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8a00432a1f8eb7785d4a5579b92f9085

SHA1
7bcb0e8d4a5392cfc4c685e7e2dc2a80ee79bf52

SHA256
3b89bcb3175a83b5095c13993cfda156dfa786ece2a1e6c6e90502541d9bde8f

SHA512
ff7a6f70d09fd4b024b34ace1c53e017cebf4b6f52b8bf199e1975d9e8b02af745e8349223aa141ff29d74f814672e4bb310c00da58e265f8516146606600fc5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
80de42336312654e0ca4a011859b1479

SHA1
4f0e7fc2c04949c355fd245861f0db560e320ef7

SHA256
527b60f1838af465342c5e95d413b8ee03ae10a6db0b9ca92f795adfa9017762

SHA512
1dad91f2ecb15dd5ffe5538ccc5aaf9fc8b135c1534d6b7e05bc8e8b67771ca584d7e378dde9675b995cac94aa15bbfbd9e7f66f6105b3275b78c8732d8c70b9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
a11709dd6029d7fcf3d5add0de4a5389

SHA1
9dad4185869d59ee0f601ef0e4f1ede34096cc11

SHA256
c211f73ee6707d87832743cf6c43eebe15ebaafcf0ccc7072770e844e657ead1

SHA512
25e9ab652edee31f6cb4bf725e0c23cc3d8df5a001d0cec8418acfe32037dd16e9e6793c3bca368b5d7ae5f5b09914d70da8266b62ed275defd65e1d480a4354

Download Submit
memory/1368-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1368-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1396-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1396-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2096-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2900-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2992-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-20-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2992-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-35-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2992-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3020-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download