neconyd | 2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74

Analysis

max time kernel
148s
max time network
130s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
Size

134KB
MD5

fa495b1e5ff529bc17284855a046deea
SHA1

3da744e498994df1280c111c8f6aa9a9ccc8cb4e
SHA256

2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74
SHA512

509ceeab9958a0394bec6476ec1f41ad99b1120bbdf90081d0c551a52040506ce72a18632091be1682eade119f7c4258c468e29428d4182c2d7cd7a037ae1450
SSDEEP

1536:tDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:9iRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2668	omsecor.exe
3024	omsecor.exe
1436	omsecor.exe
2472	omsecor.exe
236	omsecor.exe
1020	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2968	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
2968	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
2668	omsecor.exe
3024	omsecor.exe
3024	omsecor.exe
2472	omsecor.exe
2472	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 2968	2952	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	30
PID 2668 set thread context of 3024	2668	omsecor.exe	32
PID 1436 set thread context of 2472	1436	omsecor.exe	36
PID 236 set thread context of 1020	236	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2968	2952	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	30
PID 2952 wrote to memory of 2968	2952	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	30
PID 2952 wrote to memory of 2968	2952	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	30
PID 2952 wrote to memory of 2968	2952	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	30
PID 2952 wrote to memory of 2968	2952	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	30
PID 2952 wrote to memory of 2968	2952	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	30
PID 2968 wrote to memory of 2668	2968	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	31
PID 2968 wrote to memory of 2668	2968	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	31
PID 2968 wrote to memory of 2668	2968	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	31
PID 2968 wrote to memory of 2668	2968	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	31
PID 2668 wrote to memory of 3024	2668	omsecor.exe	32
PID 2668 wrote to memory of 3024	2668	omsecor.exe	32
PID 2668 wrote to memory of 3024	2668	omsecor.exe	32
PID 2668 wrote to memory of 3024	2668	omsecor.exe	32
PID 2668 wrote to memory of 3024	2668	omsecor.exe	32
PID 2668 wrote to memory of 3024	2668	omsecor.exe	32
PID 3024 wrote to memory of 1436	3024	omsecor.exe	35
PID 3024 wrote to memory of 1436	3024	omsecor.exe	35
PID 3024 wrote to memory of 1436	3024	omsecor.exe	35
PID 3024 wrote to memory of 1436	3024	omsecor.exe	35
PID 1436 wrote to memory of 2472	1436	omsecor.exe	36
PID 1436 wrote to memory of 2472	1436	omsecor.exe	36
PID 1436 wrote to memory of 2472	1436	omsecor.exe	36
PID 1436 wrote to memory of 2472	1436	omsecor.exe	36
PID 1436 wrote to memory of 2472	1436	omsecor.exe	36
PID 1436 wrote to memory of 2472	1436	omsecor.exe	36
PID 2472 wrote to memory of 236	2472	omsecor.exe	37
PID 2472 wrote to memory of 236	2472	omsecor.exe	37
PID 2472 wrote to memory of 236	2472	omsecor.exe	37
PID 2472 wrote to memory of 236	2472	omsecor.exe	37
PID 236 wrote to memory of 1020	236	omsecor.exe	38
PID 236 wrote to memory of 1020	236	omsecor.exe	38
PID 236 wrote to memory of 1020	236	omsecor.exe	38
PID 236 wrote to memory of 1020	236	omsecor.exe	38
PID 236 wrote to memory of 1020	236	omsecor.exe	38
PID 236 wrote to memory of 1020	236	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
"C:\Users\Admin\AppData\Local\Temp\2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
  C:\Users\Admin\AppData\Local\Temp\2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1436
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:236
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
3b2a252bd5db7501a9fd255a5a9ed6f9

SHA1
a8064e473449cf12913f3d501f3f6e03d78adefd

SHA256
ed90f43bc4f1cb73bad1d9b396465f84ffe8110ae645a7dbe4c7e6e244909abf

SHA512
658d0129555066b4b7f1e12adf14a1afb3f3f85d99dc71111a1f39453dab830b863487efa39031b5dffb3efcdb4be577c3b28b163d60cb2f91271e6f2feb6ca0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
053d58505f440047923708adc8af969f

SHA1
bb48aa212c8e9a2b2c02a4ef9777521692ee043d

SHA256
4c05bac837455fdb04682cbf2a9f4b858c2bd597c0828a0141be3f75227d1305

SHA512
b632164e5eba610b8767c4d2f70e183eda2fa46ce1cf9646340ac44f72d3f48d66ac10b2cfd2767dd32756e242a9750df14a99ba4904bca44ae2fed707321199

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
34e9ba85288eaf59757202ea6e96933b

SHA1
d6e058453a54dca71493c0b2568af589b2462fd8

SHA256
74565ce6bf5036cac74cd9280d3df22a5de1a165f1cf7f3413494c38373df241

SHA512
c9e0fae7315b4863bd71bbb50385bfbf54a7758dced8163e171fada7dc668561d9cc943bf61865ad9fc2e3d3b08dda5b486ee08b905741c3357f9c8722276ccc

Download Submit
memory/236-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/236-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1020-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1020-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1436-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-85-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2472-74-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2668-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2668-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2952-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2952-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2968-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2968-13-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2968-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3024-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3024-45-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/3024-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3024-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3024-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3024-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download