neconyd | b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe
Size

96KB
MD5

f32c665675cc7dfbdf396e2a42ab7b9d
SHA1

3f8c1914d341888bc3c235908ab773c3f71e8801
SHA256

b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643
SHA512

ff3a11632dac72174f494e1be17c42b29bc5ae71305b19aca6e20dc9ffd18491796bcf5b181e5e1b918cd06c7423cd942237367958c6145eda5252a452197978
SSDEEP

1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:UGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3068	omsecor.exe
2540	omsecor.exe
2844	omsecor.exe
2364	omsecor.exe
1220	omsecor.exe
2468	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2124	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe
2124	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe
3068	omsecor.exe
2540	omsecor.exe
2540	omsecor.exe
2364	omsecor.exe
2364	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 2124	2128	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe	30
PID 3068 set thread context of 2540	3068	omsecor.exe	32
PID 2844 set thread context of 2364	2844	omsecor.exe	36
PID 1220 set thread context of 2468	1220	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2124	2128	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe	30
PID 2128 wrote to memory of 2124	2128	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe	30
PID 2128 wrote to memory of 2124	2128	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe	30
PID 2128 wrote to memory of 2124	2128	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe	30
PID 2128 wrote to memory of 2124	2128	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe	30
PID 2128 wrote to memory of 2124	2128	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe	30
PID 2124 wrote to memory of 3068	2124	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe	31
PID 2124 wrote to memory of 3068	2124	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe	31
PID 2124 wrote to memory of 3068	2124	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe	31
PID 2124 wrote to memory of 3068	2124	b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe	31
PID 3068 wrote to memory of 2540	3068	omsecor.exe	32
PID 3068 wrote to memory of 2540	3068	omsecor.exe	32
PID 3068 wrote to memory of 2540	3068	omsecor.exe	32
PID 3068 wrote to memory of 2540	3068	omsecor.exe	32
PID 3068 wrote to memory of 2540	3068	omsecor.exe	32
PID 3068 wrote to memory of 2540	3068	omsecor.exe	32
PID 2540 wrote to memory of 2844	2540	omsecor.exe	35
PID 2540 wrote to memory of 2844	2540	omsecor.exe	35
PID 2540 wrote to memory of 2844	2540	omsecor.exe	35
PID 2540 wrote to memory of 2844	2540	omsecor.exe	35
PID 2844 wrote to memory of 2364	2844	omsecor.exe	36
PID 2844 wrote to memory of 2364	2844	omsecor.exe	36
PID 2844 wrote to memory of 2364	2844	omsecor.exe	36
PID 2844 wrote to memory of 2364	2844	omsecor.exe	36
PID 2844 wrote to memory of 2364	2844	omsecor.exe	36
PID 2844 wrote to memory of 2364	2844	omsecor.exe	36
PID 2364 wrote to memory of 1220	2364	omsecor.exe	37
PID 2364 wrote to memory of 1220	2364	omsecor.exe	37
PID 2364 wrote to memory of 1220	2364	omsecor.exe	37
PID 2364 wrote to memory of 1220	2364	omsecor.exe	37
PID 1220 wrote to memory of 2468	1220	omsecor.exe	38
PID 1220 wrote to memory of 2468	1220	omsecor.exe	38
PID 1220 wrote to memory of 2468	1220	omsecor.exe	38
PID 1220 wrote to memory of 2468	1220	omsecor.exe	38
PID 1220 wrote to memory of 2468	1220	omsecor.exe	38
PID 1220 wrote to memory of 2468	1220	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe
"C:\Users\Admin\AppData\Local\Temp\b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe
  C:\Users\Admin\AppData\Local\Temp\b969c47de04d42b30a8600b2e21e69da37311cf899c90f524c04e9b5ee2cf643.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
457aa849222397dd26d77f234974a848

SHA1
6c0c5f1f40151b21c1e0c75340c233d5eecc6732

SHA256
60fc59e7b0407b02d22be8af36b43a5b4258da550771dcfe117d9e90bb790d7d

SHA512
a43150cf414e3525cdc89c0f6d976c292c9d48a2f5e6dca1e0c045627eeae3f3d6fe8482ed65983f38f6569b597ec275b4c7681ed89424e3b92ff306b97885d3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
427844ac858b271168be5fb29aa22424

SHA1
73ea87f3367476a1102a8707c5e3b210f48ef9ca

SHA256
e680cf334053808703459a5505734d8b1f3ef7c10770127bc74e47746df29f9a

SHA512
96cdff0eba01ac689179a76dc8aeaba4c29e22fdebacb6bff2fc2a500937f1556b35e17cac6fd7a90aad126179b7caf816c6998ace2b879c1255fc9ed4309285

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
dae5ed439050c562a5cada8c83d3a193

SHA1
226967c5d3f43972388cbd32eead5bfe2d32ee11

SHA256
4f6cf7b0510e8e2985cacdecf1b0b444e63a85a85452d382c9e26a0f10db0bf0

SHA512
6c96e1e21ce3d6247740305a2a7e455408df9dac118243639e8b93da53873df8b4f622938df20b641dfdc4fad929e4a7e14e0a364a2ae9be69da192c2919ef9a

Download Submit
memory/1220-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1220-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2124-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2128-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2128-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2128-11-0x0000000000360000-0x0000000000383000-memory.dmp

Filesize
140KB

Download
memory/2364-73-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2468-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2468-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-48-0x00000000002F0000-0x0000000000313000-memory.dmp

Filesize
140KB

Download
memory/2540-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2844-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2844-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3068-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3068-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download