neconyd | 24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe
Size

96KB
MD5

927a6a54399c59df9014b46a0e8aa4b7
SHA1

ec20d79bce06eed76bb0314eddc6eb411e08ed97
SHA256

24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601
SHA512

9c37684f8f52ba02bb8b4ab9b7391f3dbbf0bab427a624a152d6f73590c5b2804d407a6081a476f4de9b995140bcfe641b000c193cddf4bef7e7e200622eb805
SSDEEP

1536:qnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:qGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2056	omsecor.exe
2544	omsecor.exe
1976	omsecor.exe
1144	omsecor.exe
1616	omsecor.exe
2968	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2088	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe
2088	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe
2056	omsecor.exe
2544	omsecor.exe
2544	omsecor.exe
1144	omsecor.exe
1144	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 2088	1736	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe	30
PID 2056 set thread context of 2544	2056	omsecor.exe	32
PID 1976 set thread context of 1144	1976	omsecor.exe	36
PID 1616 set thread context of 2968	1616	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2088	1736	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe	30
PID 1736 wrote to memory of 2088	1736	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe	30
PID 1736 wrote to memory of 2088	1736	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe	30
PID 1736 wrote to memory of 2088	1736	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe	30
PID 1736 wrote to memory of 2088	1736	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe	30
PID 1736 wrote to memory of 2088	1736	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe	30
PID 2088 wrote to memory of 2056	2088	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe	31
PID 2088 wrote to memory of 2056	2088	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe	31
PID 2088 wrote to memory of 2056	2088	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe	31
PID 2088 wrote to memory of 2056	2088	24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe	31
PID 2056 wrote to memory of 2544	2056	omsecor.exe	32
PID 2056 wrote to memory of 2544	2056	omsecor.exe	32
PID 2056 wrote to memory of 2544	2056	omsecor.exe	32
PID 2056 wrote to memory of 2544	2056	omsecor.exe	32
PID 2056 wrote to memory of 2544	2056	omsecor.exe	32
PID 2056 wrote to memory of 2544	2056	omsecor.exe	32
PID 2544 wrote to memory of 1976	2544	omsecor.exe	35
PID 2544 wrote to memory of 1976	2544	omsecor.exe	35
PID 2544 wrote to memory of 1976	2544	omsecor.exe	35
PID 2544 wrote to memory of 1976	2544	omsecor.exe	35
PID 1976 wrote to memory of 1144	1976	omsecor.exe	36
PID 1976 wrote to memory of 1144	1976	omsecor.exe	36
PID 1976 wrote to memory of 1144	1976	omsecor.exe	36
PID 1976 wrote to memory of 1144	1976	omsecor.exe	36
PID 1976 wrote to memory of 1144	1976	omsecor.exe	36
PID 1976 wrote to memory of 1144	1976	omsecor.exe	36
PID 1144 wrote to memory of 1616	1144	omsecor.exe	37
PID 1144 wrote to memory of 1616	1144	omsecor.exe	37
PID 1144 wrote to memory of 1616	1144	omsecor.exe	37
PID 1144 wrote to memory of 1616	1144	omsecor.exe	37
PID 1616 wrote to memory of 2968	1616	omsecor.exe	38
PID 1616 wrote to memory of 2968	1616	omsecor.exe	38
PID 1616 wrote to memory of 2968	1616	omsecor.exe	38
PID 1616 wrote to memory of 2968	1616	omsecor.exe	38
PID 1616 wrote to memory of 2968	1616	omsecor.exe	38
PID 1616 wrote to memory of 2968	1616	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe
"C:\Users\Admin\AppData\Local\Temp\24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe
  C:\Users\Admin\AppData\Local\Temp\24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
fd6e1a60393fd78f66c7e6b1cd63d90f

SHA1
31c6bb0c469e068fe37450fab4af23f6043dd185

SHA256
cffbe469f7c1b82fadbc5c3866d953857e33e839cd8eca773353385664570022

SHA512
351db833a84f1257736a1d76f814ab93375083422008b578e968fc104d7533ec1bdeb9c1e166d53a7eb2316f32a23be822541882b3ddffa064362963727518ca

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d05e3a0811b8e791aafafd7ca411322c

SHA1
18b6c10bc60c7178aeaf5c10c1132e56a623cd40

SHA256
ad614641a793849f080d53f5c4cfe287ae29c25a3b0a0705ec350472e2fd7f2a

SHA512
81b91f60a7e23b6f1e6529e3716755b7c3cc2583189522b36aa26853eeff4bcccf1c0facffb6a34219d754e9086270b62f3c08aa0be939e5a293c3570e783a1d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
79340d399ef4224035510903e6f8a3a7

SHA1
db71cf81fcda641b80d522495f77770e776b4157

SHA256
837c036c4c421bffa28f1380412459e889a9396a37025339a2d936ee0f874bea

SHA512
90a2ccc4077e9c1fd3345cf2a25f3270d6197de54f71b54cc7b39821f0cd96127933076c741d155f204ad322a3146c0d9c8431fd74d2ca39f5cdacb70f43d103

Download Submit
memory/1144-70-0x0000000000260000-0x0000000000283000-memory.dmp

Filesize
140KB

Download
memory/1616-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1616-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1736-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1736-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1976-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2056-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2056-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2056-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2088-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2544-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2544-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2544-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2544-47-0x0000000000320000-0x0000000000343000-memory.dmp

Filesize
140KB

Download
memory/2544-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2544-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download