neconyd | b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
Size

96KB
MD5

5660f5cb7b91cea1ede70afff53730ee
SHA1

d07850e367820b066ab16efd1227bef7720b8543
SHA256

b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb
SHA512

8e54277ad848011b38a3312fa44b161fc03c771cab22b65f5ed6d66e6bce63da4c70ca94c81df3dec155524b446d51bcf58395526c7c53338f213f302483d4b3
SSDEEP

1536:KnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:KGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
780	omsecor.exe
2744	omsecor.exe
2108	omsecor.exe
1800	omsecor.exe
2536	omsecor.exe
2148	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2792	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
2792	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
780	omsecor.exe
2744	omsecor.exe
2744	omsecor.exe
1800	omsecor.exe
1800	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2764 set thread context of 2792	2764	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	30
PID 780 set thread context of 2744	780	omsecor.exe	32
PID 2108 set thread context of 1800	2108	omsecor.exe	36
PID 2536 set thread context of 2148	2536	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2792	2764	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	30
PID 2764 wrote to memory of 2792	2764	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	30
PID 2764 wrote to memory of 2792	2764	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	30
PID 2764 wrote to memory of 2792	2764	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	30
PID 2764 wrote to memory of 2792	2764	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	30
PID 2764 wrote to memory of 2792	2764	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	30
PID 2792 wrote to memory of 780	2792	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	31
PID 2792 wrote to memory of 780	2792	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	31
PID 2792 wrote to memory of 780	2792	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	31
PID 2792 wrote to memory of 780	2792	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	31
PID 780 wrote to memory of 2744	780	omsecor.exe	32
PID 780 wrote to memory of 2744	780	omsecor.exe	32
PID 780 wrote to memory of 2744	780	omsecor.exe	32
PID 780 wrote to memory of 2744	780	omsecor.exe	32
PID 780 wrote to memory of 2744	780	omsecor.exe	32
PID 780 wrote to memory of 2744	780	omsecor.exe	32
PID 2744 wrote to memory of 2108	2744	omsecor.exe	35
PID 2744 wrote to memory of 2108	2744	omsecor.exe	35
PID 2744 wrote to memory of 2108	2744	omsecor.exe	35
PID 2744 wrote to memory of 2108	2744	omsecor.exe	35
PID 2108 wrote to memory of 1800	2108	omsecor.exe	36
PID 2108 wrote to memory of 1800	2108	omsecor.exe	36
PID 2108 wrote to memory of 1800	2108	omsecor.exe	36
PID 2108 wrote to memory of 1800	2108	omsecor.exe	36
PID 2108 wrote to memory of 1800	2108	omsecor.exe	36
PID 2108 wrote to memory of 1800	2108	omsecor.exe	36
PID 1800 wrote to memory of 2536	1800	omsecor.exe	37
PID 1800 wrote to memory of 2536	1800	omsecor.exe	37
PID 1800 wrote to memory of 2536	1800	omsecor.exe	37
PID 1800 wrote to memory of 2536	1800	omsecor.exe	37
PID 2536 wrote to memory of 2148	2536	omsecor.exe	38
PID 2536 wrote to memory of 2148	2536	omsecor.exe	38
PID 2536 wrote to memory of 2148	2536	omsecor.exe	38
PID 2536 wrote to memory of 2148	2536	omsecor.exe	38
PID 2536 wrote to memory of 2148	2536	omsecor.exe	38
PID 2536 wrote to memory of 2148	2536	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
"C:\Users\Admin\AppData\Local\Temp\b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
  C:\Users\Admin\AppData\Local\Temp\b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0c21890a444bf9423cbdefee56a39d30

SHA1
038dce0e097a67a5e0bd14f70af5b5fdaba6b4ba

SHA256
6c01ca205bc0b7d8cef5284c9f2393966e7411c28e6080c6f4e8fd7607016923

SHA512
68a8c2004077c23dad5d3b07974afed1cd4203198ee78a8b3d755a579358d2fcdf6128beb59d505277c516bedb39b0fdc84d16e18ceab3893b64fbe03011653e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4e0f0b43b91a57ae357926b1b32a7bd7

SHA1
4ab60388b448ff260d7ab2a861c7e79e93966f74

SHA256
5719890b9edf94f87c9ebdfcf411feab4aaa1a844bd0a52b99e468d3ca98f2f7

SHA512
130833d8d4e105ff46706319d59f111a06294e897f5afd36fb57a6109804e703f1c99ed423b8ba14c77f346f8d3ec3ff11c2bf82de4111e89b67e78532f551ce

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
1ac6b17bdeb41a6f099d3390be9ceb95

SHA1
3fc5b1b5a8f831ae68dd6d28f085a4087cafc625

SHA256
fc0b93c7e187ab4c66fcd7f3f523b2670fcc08c7a2491e2c4dcc130e01fa0e8d

SHA512
fa1898a992553a32299f034d2d5764b0730da72ebc509ab23e6cb611cabdc8bca8b995b805f535a5ae07b881b5e44ce1d10e9c33a399e06fa89d15774eec599f

Download Submit
memory/780-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/780-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1800-73-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/2108-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2108-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2148-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-82-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2536-90-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2744-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2744-49-0x0000000000810000-0x0000000000833000-memory.dmp

Filesize
140KB

Download
memory/2744-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2744-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2744-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2744-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2764-36-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/2764-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2764-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2764-10-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/2792-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2792-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2792-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2792-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2792-15-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download