neconyd | 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9

Analysis

max time kernel
114s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
Size

96KB
MD5

7445cb0dd8dc1d4cabd9881969898b10
SHA1

b20ce716443b39f6bad665db6578fe6d9cb371be
SHA256

0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9
SHA512

61383698992e232ab3d95402a14b4b3c32de2ceec71a6863d04a064e05c59994a9783373ffb138154f12caded8809cc8ab372eb8c961c83e2d6649fc64744b95
SSDEEP

1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:zGs8cd8eXlYairZYqMddH13p

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2924	omsecor.exe
2756	omsecor.exe
2568	omsecor.exe
1892	omsecor.exe
2116	omsecor.exe
352	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
656	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
656	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
2924	omsecor.exe
2756	omsecor.exe
2756	omsecor.exe
1892	omsecor.exe
1892	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1284 set thread context of 656	1284	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	30
PID 2924 set thread context of 2756	2924	omsecor.exe	32
PID 2568 set thread context of 1892	2568	omsecor.exe	36
PID 2116 set thread context of 352	2116	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 656	1284	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	30
PID 1284 wrote to memory of 656	1284	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	30
PID 1284 wrote to memory of 656	1284	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	30
PID 1284 wrote to memory of 656	1284	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	30
PID 1284 wrote to memory of 656	1284	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	30
PID 1284 wrote to memory of 656	1284	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	30
PID 656 wrote to memory of 2924	656	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	31
PID 656 wrote to memory of 2924	656	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	31
PID 656 wrote to memory of 2924	656	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	31
PID 656 wrote to memory of 2924	656	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	31
PID 2924 wrote to memory of 2756	2924	omsecor.exe	32
PID 2924 wrote to memory of 2756	2924	omsecor.exe	32
PID 2924 wrote to memory of 2756	2924	omsecor.exe	32
PID 2924 wrote to memory of 2756	2924	omsecor.exe	32
PID 2924 wrote to memory of 2756	2924	omsecor.exe	32
PID 2924 wrote to memory of 2756	2924	omsecor.exe	32
PID 2756 wrote to memory of 2568	2756	omsecor.exe	35
PID 2756 wrote to memory of 2568	2756	omsecor.exe	35
PID 2756 wrote to memory of 2568	2756	omsecor.exe	35
PID 2756 wrote to memory of 2568	2756	omsecor.exe	35
PID 2568 wrote to memory of 1892	2568	omsecor.exe	36
PID 2568 wrote to memory of 1892	2568	omsecor.exe	36
PID 2568 wrote to memory of 1892	2568	omsecor.exe	36
PID 2568 wrote to memory of 1892	2568	omsecor.exe	36
PID 2568 wrote to memory of 1892	2568	omsecor.exe	36
PID 2568 wrote to memory of 1892	2568	omsecor.exe	36
PID 1892 wrote to memory of 2116	1892	omsecor.exe	37
PID 1892 wrote to memory of 2116	1892	omsecor.exe	37
PID 1892 wrote to memory of 2116	1892	omsecor.exe	37
PID 1892 wrote to memory of 2116	1892	omsecor.exe	37
PID 2116 wrote to memory of 352	2116	omsecor.exe	38
PID 2116 wrote to memory of 352	2116	omsecor.exe	38
PID 2116 wrote to memory of 352	2116	omsecor.exe	38
PID 2116 wrote to memory of 352	2116	omsecor.exe	38
PID 2116 wrote to memory of 352	2116	omsecor.exe	38
PID 2116 wrote to memory of 352	2116	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
"C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
  C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3ecf227d50109f374225f909f705e9bc

SHA1
458cccab2e5ff2bfca3b98b64cf61f3ebb90a8c4

SHA256
7de87bc37afdf859278a2bad190a905cdbb3858787788971ecbb8ccfcd82fb15

SHA512
8ab66b6372f653cb4e03e2c4927719f99707bac4882a7f5918a82b247e523cc313835b1b618faa440b9be69d002a020ef39a3f4d84a542df22cb563e256ac186

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
99f474e43273188ec3b23caf0e28bd18

SHA1
cac5d93c4a84b3b5fe04018e3c3cdb58837f7f0b

SHA256
f5f6a9775d90cfae9354b95963fd2542c27d9faa21a66ec6c0f77f8e8b5c6567

SHA512
f1dae6d45ca451364456b3575a1ef72b854281fdf9e6bece0e5ad2106f2fe53b220f3cb8d59dced42adffe14c24e90d70e5d8ca2f9f6f7270035629ae96f1ff7

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
894772991d94681aebb2e934d8eebde4

SHA1
8c7e7dcfe7dc9e82673fbabb53fa79f259d592af

SHA256
ed76c078720d812542836f5d811baf171ebcaf6d4faf4bc8e702dbdd58fb293c

SHA512
bb2573867efec1358c7ce43a37c363691b6f0e4ff74f2d3dc28444f637f0dbe01dda9f43ed3ed3fc5a6d9cfdaa0fb7a2b2b36b6996f90f4aada28b6ad64523d7

Download Submit
memory/352-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/656-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/656-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/656-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/656-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/656-20-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/656-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1284-7-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/1284-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1284-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1892-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2116-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2116-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2568-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2568-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2756-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-55-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2756-48-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2756-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2924-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download