neconyd | e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1

Analysis

max time kernel
115s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe
Size

96KB
MD5

edb0f3c415f5f4d166acffcd3fe73d90
SHA1

e419242d88054f65467983b78bf7ffed4cae44d2
SHA256

e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1
SHA512

89da9f72f78ac9c2034d378793771963a207871ca82ec6742bcb12a92ee41c8b3e89d9104ee58a993b7ecf85f75c2fb00a22e04a3dd747f768b1cb6c6ddc6457
SSDEEP

1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:JGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2572	omsecor.exe
2944	omsecor.exe
1524	omsecor.exe
3000	omsecor.exe
2420	omsecor.exe
1884	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2856	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe
2856	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe
2572	omsecor.exe
2944	omsecor.exe
2944	omsecor.exe
3000	omsecor.exe
3000	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 2856	2828	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe	30
PID 2572 set thread context of 2944	2572	omsecor.exe	32
PID 1524 set thread context of 3000	1524	omsecor.exe	36
PID 2420 set thread context of 1884	2420	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2856	2828	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe	30
PID 2828 wrote to memory of 2856	2828	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe	30
PID 2828 wrote to memory of 2856	2828	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe	30
PID 2828 wrote to memory of 2856	2828	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe	30
PID 2828 wrote to memory of 2856	2828	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe	30
PID 2828 wrote to memory of 2856	2828	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe	30
PID 2856 wrote to memory of 2572	2856	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe	31
PID 2856 wrote to memory of 2572	2856	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe	31
PID 2856 wrote to memory of 2572	2856	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe	31
PID 2856 wrote to memory of 2572	2856	e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe	31
PID 2572 wrote to memory of 2944	2572	omsecor.exe	32
PID 2572 wrote to memory of 2944	2572	omsecor.exe	32
PID 2572 wrote to memory of 2944	2572	omsecor.exe	32
PID 2572 wrote to memory of 2944	2572	omsecor.exe	32
PID 2572 wrote to memory of 2944	2572	omsecor.exe	32
PID 2572 wrote to memory of 2944	2572	omsecor.exe	32
PID 2944 wrote to memory of 1524	2944	omsecor.exe	35
PID 2944 wrote to memory of 1524	2944	omsecor.exe	35
PID 2944 wrote to memory of 1524	2944	omsecor.exe	35
PID 2944 wrote to memory of 1524	2944	omsecor.exe	35
PID 1524 wrote to memory of 3000	1524	omsecor.exe	36
PID 1524 wrote to memory of 3000	1524	omsecor.exe	36
PID 1524 wrote to memory of 3000	1524	omsecor.exe	36
PID 1524 wrote to memory of 3000	1524	omsecor.exe	36
PID 1524 wrote to memory of 3000	1524	omsecor.exe	36
PID 1524 wrote to memory of 3000	1524	omsecor.exe	36
PID 3000 wrote to memory of 2420	3000	omsecor.exe	37
PID 3000 wrote to memory of 2420	3000	omsecor.exe	37
PID 3000 wrote to memory of 2420	3000	omsecor.exe	37
PID 3000 wrote to memory of 2420	3000	omsecor.exe	37
PID 2420 wrote to memory of 1884	2420	omsecor.exe	38
PID 2420 wrote to memory of 1884	2420	omsecor.exe	38
PID 2420 wrote to memory of 1884	2420	omsecor.exe	38
PID 2420 wrote to memory of 1884	2420	omsecor.exe	38
PID 2420 wrote to memory of 1884	2420	omsecor.exe	38
PID 2420 wrote to memory of 1884	2420	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe
"C:\Users\Admin\AppData\Local\Temp\e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe
  C:\Users\Admin\AppData\Local\Temp\e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
16514339d94adcfc81b071a6b641fd77

SHA1
b65bfcb85d7b2076db6bb3041b3ec376addef975

SHA256
c60aa17e6b825598e631162dfa3930fe134221fb80c6f973a0390cb3596ed86e

SHA512
ece5b17dd12ada53573852b413a3ea4c3f91d2296c29923e38fbb1ab268e9a16e60a05edcfc32c4f35280640c494bbcdd70e42b031843063feb201c69807cdf9

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b8e9f0b12da5638219123b813ee53e6c

SHA1
eeb1b64ea1c509d89a0ba4c402e45050cf125660

SHA256
66170b6b77c155906d73f44f94cabb399623e5543cba859dc0b279f119854e5e

SHA512
8bbbf8686f618f2429afe2ab9163776003e31f74a3585911066ca1c5c81266d193908c5f30bbf2ca55ac3865e6c426390791ea37367655eee6f2584e25ac89f8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c8babb5aa9cd036518c531be79639f8e

SHA1
48857f9d3828ac40c1bb0b404d6c13e762552b3d

SHA256
c68efdaef513167c7f4d7b0a4ba2e3c568a36733c7b029b5c41fa1b7a2a64ee7

SHA512
81c07f8a89d88c56ee42ab577d9d81abc0b9f01a67bdfc2920109bd260ff0d34df31cb13f01def7f63688e7348f0d95bc74d745f113c28527ac1878b98540ba7

Download Submit
memory/1524-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1524-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1884-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2420-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2572-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2572-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2828-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2828-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2828-1-0x0000000000530000-0x0000000000553000-memory.dmp

Filesize
140KB

Download
memory/2856-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2856-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2856-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2944-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2944-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2944-48-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2944-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2944-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2944-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-73-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download