neconyd | fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07/02/2025, 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe
Size

96KB
MD5

aa88acfb7a9968aa6855bdcd044b8bad
SHA1

95d1dfdade216b01efe0cfd38445619180da0a82
SHA256

fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d
SHA512

6220d7d5c6cbd78c114e542e1374d69017ea35535056aef2a7e1fff42cff430ce269a0f3c94ae1fc96d1f34776181e835b86fac543f8db58efa5b14161550891
SSDEEP

1536:knAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:kGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1224	omsecor.exe
2036	omsecor.exe
2120	omsecor.exe
1340	omsecor.exe
2196	omsecor.exe
520	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2368	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe
2368	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe
1224	omsecor.exe
2036	omsecor.exe
2036	omsecor.exe
1340	omsecor.exe
1340	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 2368	1740	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe	30
PID 1224 set thread context of 2036	1224	omsecor.exe	32
PID 2120 set thread context of 1340	2120	omsecor.exe	36
PID 2196 set thread context of 520	2196	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2368	1740	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe	30
PID 1740 wrote to memory of 2368	1740	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe	30
PID 1740 wrote to memory of 2368	1740	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe	30
PID 1740 wrote to memory of 2368	1740	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe	30
PID 1740 wrote to memory of 2368	1740	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe	30
PID 1740 wrote to memory of 2368	1740	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe	30
PID 2368 wrote to memory of 1224	2368	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe	31
PID 2368 wrote to memory of 1224	2368	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe	31
PID 2368 wrote to memory of 1224	2368	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe	31
PID 2368 wrote to memory of 1224	2368	fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe	31
PID 1224 wrote to memory of 2036	1224	omsecor.exe	32
PID 1224 wrote to memory of 2036	1224	omsecor.exe	32
PID 1224 wrote to memory of 2036	1224	omsecor.exe	32
PID 1224 wrote to memory of 2036	1224	omsecor.exe	32
PID 1224 wrote to memory of 2036	1224	omsecor.exe	32
PID 1224 wrote to memory of 2036	1224	omsecor.exe	32
PID 2036 wrote to memory of 2120	2036	omsecor.exe	35
PID 2036 wrote to memory of 2120	2036	omsecor.exe	35
PID 2036 wrote to memory of 2120	2036	omsecor.exe	35
PID 2036 wrote to memory of 2120	2036	omsecor.exe	35
PID 2120 wrote to memory of 1340	2120	omsecor.exe	36
PID 2120 wrote to memory of 1340	2120	omsecor.exe	36
PID 2120 wrote to memory of 1340	2120	omsecor.exe	36
PID 2120 wrote to memory of 1340	2120	omsecor.exe	36
PID 2120 wrote to memory of 1340	2120	omsecor.exe	36
PID 2120 wrote to memory of 1340	2120	omsecor.exe	36
PID 1340 wrote to memory of 2196	1340	omsecor.exe	37
PID 1340 wrote to memory of 2196	1340	omsecor.exe	37
PID 1340 wrote to memory of 2196	1340	omsecor.exe	37
PID 1340 wrote to memory of 2196	1340	omsecor.exe	37
PID 2196 wrote to memory of 520	2196	omsecor.exe	38
PID 2196 wrote to memory of 520	2196	omsecor.exe	38
PID 2196 wrote to memory of 520	2196	omsecor.exe	38
PID 2196 wrote to memory of 520	2196	omsecor.exe	38
PID 2196 wrote to memory of 520	2196	omsecor.exe	38
PID 2196 wrote to memory of 520	2196	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe
"C:\Users\Admin\AppData\Local\Temp\fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe
  C:\Users\Admin\AppData\Local\Temp\fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d78b30c514ce10800837df3433c3ac4e

SHA1
2b15c60ea2b057299dc3fb5372c711ab8b8ec445

SHA256
d5414ec810a62b2b7ec7fbd70db5d537147656d2a230cfb40cc9e64e4db7d192

SHA512
428a4d93b1502b234994f3a019ac2e264f4c1e06137d01bdfd93e38991b2f81a8b47af6b597ef2ad6e4329bbbc98c95f141fb3a5221bb488d87c55d9403f69f8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c220dd82c4b3b1d8e0f49ca136a9dee3

SHA1
33e2a61dc96d8216240d1ef5f100f350145442aa

SHA256
2466d4db74a3b4cc9e3aec59099c79565b88bdb2a40a08331c769ff03a414933

SHA512
61bbbaf624e3b4d57f58542ae434281280d79d8635f2ce498615d15b5c1b326060e29dcf8388fc295071cd837eda19f8b846d356a1c9c37f1436cd8f30af221d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
84a14f82ea432ce228c727b4ee692eec

SHA1
b0db1506a7efe85bc21865aacd2f438bac379a77

SHA256
6dc767bcad91d907cf8fa33a9168d85cb6a82c77a2f3c4fb53f968d6ebc79b18

SHA512
4b2bfee97e52d8183e853111ca0ec63ab5b7ce71de03997cff77635d23ed640af9e7e0d05fc916aa24b8b56a1de4c2ff62a6ebecb2a284ff21dd154404efbc50

Download Submit
memory/520-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/520-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1224-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1224-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1224-24-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/1740-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1740-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2036-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-48-0x0000000002090000-0x00000000020B3000-memory.dmp

Filesize
140KB

Download
memory/2036-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2120-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2120-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2368-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2368-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download