neconyd | d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287b

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
Size

134KB
MD5

a5a67f612b5a17a66c725b8269528500
SHA1

be4760955ba37cf1506dbea0fcb47601a8a28e16
SHA256

d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287b
SHA512

420c515f8b90f90b6a0a2845ab173e3298ff8bf248b36abcb61a176bd8ec03d4343f55076a8c1b866f6319004cd5553123a502ffe9cc22e6d8338adcfd00d67d
SSDEEP

1536:MDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiH:yiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2388	omsecor.exe
2880	omsecor.exe
780	omsecor.exe
524	omsecor.exe
3016	omsecor.exe
2432	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1636	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
1636	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
2388	omsecor.exe
2880	omsecor.exe
2880	omsecor.exe
524	omsecor.exe
524	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 1636	1660	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	30
PID 2388 set thread context of 2880	2388	omsecor.exe	32
PID 780 set thread context of 524	780	omsecor.exe	36
PID 3016 set thread context of 2432	3016	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1636	1660	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	30
PID 1660 wrote to memory of 1636	1660	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	30
PID 1660 wrote to memory of 1636	1660	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	30
PID 1660 wrote to memory of 1636	1660	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	30
PID 1660 wrote to memory of 1636	1660	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	30
PID 1660 wrote to memory of 1636	1660	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	30
PID 1636 wrote to memory of 2388	1636	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	31
PID 1636 wrote to memory of 2388	1636	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	31
PID 1636 wrote to memory of 2388	1636	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	31
PID 1636 wrote to memory of 2388	1636	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	31
PID 2388 wrote to memory of 2880	2388	omsecor.exe	32
PID 2388 wrote to memory of 2880	2388	omsecor.exe	32
PID 2388 wrote to memory of 2880	2388	omsecor.exe	32
PID 2388 wrote to memory of 2880	2388	omsecor.exe	32
PID 2388 wrote to memory of 2880	2388	omsecor.exe	32
PID 2388 wrote to memory of 2880	2388	omsecor.exe	32
PID 2880 wrote to memory of 780	2880	omsecor.exe	35
PID 2880 wrote to memory of 780	2880	omsecor.exe	35
PID 2880 wrote to memory of 780	2880	omsecor.exe	35
PID 2880 wrote to memory of 780	2880	omsecor.exe	35
PID 780 wrote to memory of 524	780	omsecor.exe	36
PID 780 wrote to memory of 524	780	omsecor.exe	36
PID 780 wrote to memory of 524	780	omsecor.exe	36
PID 780 wrote to memory of 524	780	omsecor.exe	36
PID 780 wrote to memory of 524	780	omsecor.exe	36
PID 780 wrote to memory of 524	780	omsecor.exe	36
PID 524 wrote to memory of 3016	524	omsecor.exe	37
PID 524 wrote to memory of 3016	524	omsecor.exe	37
PID 524 wrote to memory of 3016	524	omsecor.exe	37
PID 524 wrote to memory of 3016	524	omsecor.exe	37
PID 3016 wrote to memory of 2432	3016	omsecor.exe	38
PID 3016 wrote to memory of 2432	3016	omsecor.exe	38
PID 3016 wrote to memory of 2432	3016	omsecor.exe	38
PID 3016 wrote to memory of 2432	3016	omsecor.exe	38
PID 3016 wrote to memory of 2432	3016	omsecor.exe	38
PID 3016 wrote to memory of 2432	3016	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
"C:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
  C:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:780
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
cfc84a3a1501caaa91f7b5b0388eed32

SHA1
7631a1cf9ef4b8879db9f9771a88d48842e39f47

SHA256
92fa58f9c3f31e4056bf4ac78ea3b498aa8016432c8571db4d4b6d859bc6e7b3

SHA512
a6a2685fcd1844c3ca08df59add4a550a1eb0548044ccbd51e6d2c9046f86e3c6b95cda63de64c1f47372e7b3f3fc9e097e698c72bcd0e84740f010f5c0ed548

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e3279ad87584a5dd6bf9ca46a9adacfb

SHA1
fb478c5242f227f9fd2cf8c3b34610b275c5763a

SHA256
71ea0abc917933108cec14fe17a621dd9a5583963b9ebd31bf593505709eeac2

SHA512
ea63a4a6efaafeb4b575093c2b10797ba020420b03040cb43187f7db6271a413efb11dba7fdd917c74bb715a0bdbcca7f496e96083dae42a5d95e32dcfe50c94

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
41b8b30e4f0ed73740fa4c20d1490631

SHA1
44862bbc449742b60d09e246eb958bf774d70ee3

SHA256
ad20bdbcdc9084dc7357611dd65ad0a55ffaabbc701015dcf0798008d065a587

SHA512
3a7e080750298469da511b57e0b00fafd4f9505de84556ea867566268bd8d5d9c07cde84c12907b5a58b78535b3a3e75966e7e42741c995bb7c98212e2a266f9

Download Submit
memory/524-67-0x00000000002D0000-0x00000000002F4000-memory.dmp

Filesize
144KB

Download
memory/780-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1636-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1636-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1636-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1636-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1636-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1660-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1660-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2388-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2388-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2432-83-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-44-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2880-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-81-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download