neconyd | b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
Size

96KB
MD5

81ec813a24cad85f5b97baf9787fa631
SHA1

0a1a7d728bac16c4ba8803e3d215805a2939503e
SHA256

b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3
SHA512

a257a07ed481d60a5a075091b75c98ecbe01e9fe84efe7b9371bba73e1829d19a3afb29d26ca017183cd924674e08fec195e0e8417d3490edd0823c8f9aaa4b5
SSDEEP

1536:mnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:mGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2160	omsecor.exe
340	omsecor.exe
1804	omsecor.exe
1464	omsecor.exe
1424	omsecor.exe
2300	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
804	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
804	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
2160	omsecor.exe
340	omsecor.exe
340	omsecor.exe
1464	omsecor.exe
1464	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 804	1196	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe	30
PID 2160 set thread context of 340	2160	omsecor.exe	32
PID 1804 set thread context of 1464	1804	omsecor.exe	36
PID 1424 set thread context of 2300	1424	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 804	1196	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe	30
PID 1196 wrote to memory of 804	1196	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe	30
PID 1196 wrote to memory of 804	1196	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe	30
PID 1196 wrote to memory of 804	1196	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe	30
PID 1196 wrote to memory of 804	1196	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe	30
PID 1196 wrote to memory of 804	1196	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe	30
PID 804 wrote to memory of 2160	804	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe	31
PID 804 wrote to memory of 2160	804	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe	31
PID 804 wrote to memory of 2160	804	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe	31
PID 804 wrote to memory of 2160	804	b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe	31
PID 2160 wrote to memory of 340	2160	omsecor.exe	32
PID 2160 wrote to memory of 340	2160	omsecor.exe	32
PID 2160 wrote to memory of 340	2160	omsecor.exe	32
PID 2160 wrote to memory of 340	2160	omsecor.exe	32
PID 2160 wrote to memory of 340	2160	omsecor.exe	32
PID 2160 wrote to memory of 340	2160	omsecor.exe	32
PID 340 wrote to memory of 1804	340	omsecor.exe	35
PID 340 wrote to memory of 1804	340	omsecor.exe	35
PID 340 wrote to memory of 1804	340	omsecor.exe	35
PID 340 wrote to memory of 1804	340	omsecor.exe	35
PID 1804 wrote to memory of 1464	1804	omsecor.exe	36
PID 1804 wrote to memory of 1464	1804	omsecor.exe	36
PID 1804 wrote to memory of 1464	1804	omsecor.exe	36
PID 1804 wrote to memory of 1464	1804	omsecor.exe	36
PID 1804 wrote to memory of 1464	1804	omsecor.exe	36
PID 1804 wrote to memory of 1464	1804	omsecor.exe	36
PID 1464 wrote to memory of 1424	1464	omsecor.exe	37
PID 1464 wrote to memory of 1424	1464	omsecor.exe	37
PID 1464 wrote to memory of 1424	1464	omsecor.exe	37
PID 1464 wrote to memory of 1424	1464	omsecor.exe	37
PID 1424 wrote to memory of 2300	1424	omsecor.exe	38
PID 1424 wrote to memory of 2300	1424	omsecor.exe	38
PID 1424 wrote to memory of 2300	1424	omsecor.exe	38
PID 1424 wrote to memory of 2300	1424	omsecor.exe	38
PID 1424 wrote to memory of 2300	1424	omsecor.exe	38
PID 1424 wrote to memory of 2300	1424	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
"C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
  C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b30ed9cda57812d61a9088c0d1328b2f

SHA1
d65d2fd9af0c7b86851105e58e62780b5cc88e3a

SHA256
3430b32c66561d387786d39ba967e508329450392d8569ff0a6bd90e845ce47e

SHA512
8c563ad59a29c798f3f11c7102a4c3ca328efa4cd5ee43fc1142ce24c76ca59a72ec517dec36d30ec8ce64249e0b53a4434cbe1a20d90776088095a9d11c28c0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
cbdc7aca84e275a3f0981ffd3d109d6f

SHA1
c6f86c788c0405166f490dad8fc3a9a10c972448

SHA256
b31b85e91cea5b7956ad41a06ecfb85f41f247723c703c8ac376899caabe0e21

SHA512
45f88d697822fec3d6f0dbc72c26a005063fad704ce4e075bd4a0f59f762281251313233c72a38a460b4a3205908618af43c85d7fff3b71ded2929392a77a9d1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9806ccaa11663d3a5437e5a6baeaac71

SHA1
04457becdaa41890e19412788db904437d1c7cae

SHA256
b1b0acf0163ed0cacb0528b411c7937c80a77eba001b91996ab676fc2ca2b592

SHA512
fcfe6e21ca9c959e5f86e7de59c5784ef9abdb2062509329a9a62bb5d418529576cab13f1ae14ad33759d8a86de4fa23a8cacb168769d1fddcc12c290369de1a

Download Submit
memory/340-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/340-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/340-48-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/340-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/340-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/340-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/804-20-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/804-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/804-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/804-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/804-21-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/804-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/804-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1196-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1196-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1424-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1424-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1464-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1804-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1804-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2160-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2160-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2300-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2300-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download