neconyd | 4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-02-2025 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
Size

96KB
MD5

73d2a65a8acc5264513bc55c9c7a2c8d
SHA1

99dd66e3c2d10fd90729245d0e95040933b5176f
SHA256

4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029
SHA512

f4a9a1ed372c06829cc00aab496aecc47ef7cfdc2ee742276c9ea12b63dcae731983ac1a1cc14e54bafbd81e33f0a680fd9a0730ca4dcc4aafa8bd1c22eda3ae
SSDEEP

1536:RnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:RGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2840	omsecor.exe
2264	omsecor.exe
1512	omsecor.exe
1536	omsecor.exe
308	omsecor.exe
1088	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3012	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
3012	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
2840	omsecor.exe
2264	omsecor.exe
2264	omsecor.exe
1536	omsecor.exe
1536	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 3012	2912	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	28
PID 2840 set thread context of 2264	2840	omsecor.exe	30
PID 1512 set thread context of 1536	1512	omsecor.exe	35
PID 308 set thread context of 1088	308	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 3012	2912	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	28
PID 2912 wrote to memory of 3012	2912	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	28
PID 2912 wrote to memory of 3012	2912	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	28
PID 2912 wrote to memory of 3012	2912	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	28
PID 2912 wrote to memory of 3012	2912	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	28
PID 2912 wrote to memory of 3012	2912	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	28
PID 3012 wrote to memory of 2840	3012	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	29
PID 3012 wrote to memory of 2840	3012	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	29
PID 3012 wrote to memory of 2840	3012	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	29
PID 3012 wrote to memory of 2840	3012	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	29
PID 2840 wrote to memory of 2264	2840	omsecor.exe	30
PID 2840 wrote to memory of 2264	2840	omsecor.exe	30
PID 2840 wrote to memory of 2264	2840	omsecor.exe	30
PID 2840 wrote to memory of 2264	2840	omsecor.exe	30
PID 2840 wrote to memory of 2264	2840	omsecor.exe	30
PID 2840 wrote to memory of 2264	2840	omsecor.exe	30
PID 2264 wrote to memory of 1512	2264	omsecor.exe	34
PID 2264 wrote to memory of 1512	2264	omsecor.exe	34
PID 2264 wrote to memory of 1512	2264	omsecor.exe	34
PID 2264 wrote to memory of 1512	2264	omsecor.exe	34
PID 1512 wrote to memory of 1536	1512	omsecor.exe	35
PID 1512 wrote to memory of 1536	1512	omsecor.exe	35
PID 1512 wrote to memory of 1536	1512	omsecor.exe	35
PID 1512 wrote to memory of 1536	1512	omsecor.exe	35
PID 1512 wrote to memory of 1536	1512	omsecor.exe	35
PID 1512 wrote to memory of 1536	1512	omsecor.exe	35
PID 1536 wrote to memory of 308	1536	omsecor.exe	36
PID 1536 wrote to memory of 308	1536	omsecor.exe	36
PID 1536 wrote to memory of 308	1536	omsecor.exe	36
PID 1536 wrote to memory of 308	1536	omsecor.exe	36
PID 308 wrote to memory of 1088	308	omsecor.exe	37
PID 308 wrote to memory of 1088	308	omsecor.exe	37
PID 308 wrote to memory of 1088	308	omsecor.exe	37
PID 308 wrote to memory of 1088	308	omsecor.exe	37
PID 308 wrote to memory of 1088	308	omsecor.exe	37
PID 308 wrote to memory of 1088	308	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
"C:\Users\Admin\AppData\Local\Temp\4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
  C:\Users\Admin\AppData\Local\Temp\4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
000d160fc64957a0d342ffdc4d30fc33

SHA1
2666fe9be10183987b424dfb4f28478a0edcd1ef

SHA256
a3352411ccfcfddbe4404350dd90d438e926603cb099a7933ce0ca083e470b62

SHA512
4fbae7fbe6642edd8f2408d60878be861f086e1290c06feb0f7d62b347f592ac8de803ca06b5f77af412dbf07a3cc41ca7b95569b1df8c6cd707f124b1f98409

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
58b0617cc48e569910a44c204dced77c

SHA1
5ea93b8643058a5776c2d14f003c002daea3d5d1

SHA256
fc3aa5c51ba26d43c6e2713fa856ef26f2279185b1e60ed5079a214ad6a9ce58

SHA512
88147930c7afa21fb1522ab863d1bc556b9677d572aef54ec483aae12360cc637db0e8fb45318dd11daae0fba15be982c06c5bb271d444bcea60bb7dacec0034

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d345d2082cf949ab5c090ce6074d25dc

SHA1
fac18b4d0b8db57cfc3794a93aaf15f049bd2b3a

SHA256
d48b17fece0aa153a0c59be6bc0f0d486165e2fa13afc8ff26cecfc2352d39f0

SHA512
4b7b8ec10ab066a3dab53f1ad2667bcf567a86c9003eacb4b80a3c35f1ff028a0e59b3c2db73158022d2c1bfc1b07a9881ed320e80823e458278aac400405ca5

Download Submit
memory/308-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/308-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1088-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1088-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1512-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2264-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2264-57-0x00000000021D0000-0x00000000021F3000-memory.dmp

Filesize
140KB

Download
memory/2264-89-0x00000000021D0000-0x00000000021F3000-memory.dmp

Filesize
140KB

Download
memory/2264-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2264-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2264-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2264-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2264-47-0x00000000021D0000-0x00000000021F3000-memory.dmp

Filesize
140KB

Download
memory/2840-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2840-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2912-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2912-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3012-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3012-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3012-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3012-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download