neconyd | f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe
Size

96KB
MD5

3b87df6ba12f741504b9ad45612d562a
SHA1

3098d97f852c29c255964f0aa0bd7019b0dce5a6
SHA256

f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991
SHA512

4a74651a7b1377d9fb87fe52df33f9e859658ce2b42c7d872ceffa10a85b5e0d6a3f8c74622ab91c63e2ce116a9cfccd4a9d92ab1941f5b2592a2c19acbd46aa
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:OGs8cd8eXlYairZYqMddH13R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2520	omsecor.exe
2664	omsecor.exe
3024	omsecor.exe
1276	omsecor.exe
2280	omsecor.exe
2284	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2080	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe
2080	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe
2520	omsecor.exe
2664	omsecor.exe
2664	omsecor.exe
1276	omsecor.exe
1276	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 2080	2360	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe	31
PID 2520 set thread context of 2664	2520	omsecor.exe	33
PID 3024 set thread context of 1276	3024	omsecor.exe	37
PID 2280 set thread context of 2284	2280	omsecor.exe	39

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2080	2360	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe	31
PID 2360 wrote to memory of 2080	2360	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe	31
PID 2360 wrote to memory of 2080	2360	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe	31
PID 2360 wrote to memory of 2080	2360	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe	31
PID 2360 wrote to memory of 2080	2360	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe	31
PID 2360 wrote to memory of 2080	2360	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe	31
PID 2080 wrote to memory of 2520	2080	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe	32
PID 2080 wrote to memory of 2520	2080	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe	32
PID 2080 wrote to memory of 2520	2080	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe	32
PID 2080 wrote to memory of 2520	2080	f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe	32
PID 2520 wrote to memory of 2664	2520	omsecor.exe	33
PID 2520 wrote to memory of 2664	2520	omsecor.exe	33
PID 2520 wrote to memory of 2664	2520	omsecor.exe	33
PID 2520 wrote to memory of 2664	2520	omsecor.exe	33
PID 2520 wrote to memory of 2664	2520	omsecor.exe	33
PID 2520 wrote to memory of 2664	2520	omsecor.exe	33
PID 2664 wrote to memory of 3024	2664	omsecor.exe	36
PID 2664 wrote to memory of 3024	2664	omsecor.exe	36
PID 2664 wrote to memory of 3024	2664	omsecor.exe	36
PID 2664 wrote to memory of 3024	2664	omsecor.exe	36
PID 3024 wrote to memory of 1276	3024	omsecor.exe	37
PID 3024 wrote to memory of 1276	3024	omsecor.exe	37
PID 3024 wrote to memory of 1276	3024	omsecor.exe	37
PID 3024 wrote to memory of 1276	3024	omsecor.exe	37
PID 3024 wrote to memory of 1276	3024	omsecor.exe	37
PID 3024 wrote to memory of 1276	3024	omsecor.exe	37
PID 1276 wrote to memory of 2280	1276	omsecor.exe	38
PID 1276 wrote to memory of 2280	1276	omsecor.exe	38
PID 1276 wrote to memory of 2280	1276	omsecor.exe	38
PID 1276 wrote to memory of 2280	1276	omsecor.exe	38
PID 2280 wrote to memory of 2284	2280	omsecor.exe	39
PID 2280 wrote to memory of 2284	2280	omsecor.exe	39
PID 2280 wrote to memory of 2284	2280	omsecor.exe	39
PID 2280 wrote to memory of 2284	2280	omsecor.exe	39
PID 2280 wrote to memory of 2284	2280	omsecor.exe	39
PID 2280 wrote to memory of 2284	2280	omsecor.exe	39

C:\Users\Admin\AppData\Local\Temp\f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe
"C:\Users\Admin\AppData\Local\Temp\f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe
  C:\Users\Admin\AppData\Local\Temp\f5e958645cdfd765bd749a28bc991d23802e6bd8f6cb6c011f16fa74515e8991.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
df3331f45e58823272877aa7a8ed8bf3

SHA1
ab24c2a07db666b81b6b2c38a7e78a776d98c3e9

SHA256
c8cc4b90d1f1ebade539175d650501ed6bc818ececfd5cbcf75636606554b39c

SHA512
93291c8b622f792926c482ee7919a7fb81f95ba8d1d1818f674a1c2005abc15da81587c4cacf6a448f6015ac4b94abd92355390fea3677fdc631e9a0bbf71e1f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
641e2ded79650d59b21b3fb996e80115

SHA1
513d14df171bd136b7a2b1b67332073165731820

SHA256
ec81da21968efd3f94c91024dd315d9a6d74df3770a4b29e4621b24eaebb7b1c

SHA512
d4588d774f76651674aa3711e645f694f661d7f115f5fb5b1160ed6573a2f2363b7c4365f48f6f53f80af6eb7dffd4239c217c9b74edf837fe2e7eb626fd4984

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
0262d910db3582ab0585a185b9a34452

SHA1
9853c81050864eff60252bc564c48e2eeba55f3c

SHA256
c4fb61cd845f9e367cddcb0c961fe589ef2a79bfa01dfca15ea4c6cce2610d82

SHA512
ed005f98e0794c928e274b4c0efda7ebef15857f38468a68ed5b08cd22116d41204c6e80283bb4731c8ecd223b52428990b8c26854b94e94dc37e96032172766

Download Submit
memory/2080-14-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2080-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2080-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2080-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2080-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2080-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2280-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2280-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2284-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2360-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2520-24-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2520-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2664-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-53-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2664-54-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2664-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3024-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3024-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download