neconyd | c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-02-2025 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe
Size

96KB
MD5

248c41cf2ed74592669cc5acbdddb78d
SHA1

25c1568262e4da6dab1b8f6fdb402988ec2c7bce
SHA256

c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f
SHA512

e06f7940fc7c63c7f6c458ba63b1160f73cbfeb297c5f9790029649f0f51450198a28354b1e0d86b0859f1a7cf2d9534f372f3f51a9e22eff21a0b365b54c570
SSDEEP

1536:InAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:IGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
844	omsecor.exe
2800	omsecor.exe
1476	omsecor.exe
2944	omsecor.exe
1640	omsecor.exe
1408	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2348	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe
2348	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe
844	omsecor.exe
2800	omsecor.exe
2800	omsecor.exe
2944	omsecor.exe
2944	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 432 set thread context of 2348	432	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe	29
PID 844 set thread context of 2800	844	omsecor.exe	31
PID 1476 set thread context of 2944	1476	omsecor.exe	34
PID 1640 set thread context of 1408	1640	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2348	432	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe	29
PID 432 wrote to memory of 2348	432	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe	29
PID 432 wrote to memory of 2348	432	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe	29
PID 432 wrote to memory of 2348	432	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe	29
PID 432 wrote to memory of 2348	432	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe	29
PID 432 wrote to memory of 2348	432	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe	29
PID 2348 wrote to memory of 844	2348	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe	30
PID 2348 wrote to memory of 844	2348	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe	30
PID 2348 wrote to memory of 844	2348	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe	30
PID 2348 wrote to memory of 844	2348	c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe	30
PID 844 wrote to memory of 2800	844	omsecor.exe	31
PID 844 wrote to memory of 2800	844	omsecor.exe	31
PID 844 wrote to memory of 2800	844	omsecor.exe	31
PID 844 wrote to memory of 2800	844	omsecor.exe	31
PID 844 wrote to memory of 2800	844	omsecor.exe	31
PID 844 wrote to memory of 2800	844	omsecor.exe	31
PID 2800 wrote to memory of 1476	2800	omsecor.exe	33
PID 2800 wrote to memory of 1476	2800	omsecor.exe	33
PID 2800 wrote to memory of 1476	2800	omsecor.exe	33
PID 2800 wrote to memory of 1476	2800	omsecor.exe	33
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 1476 wrote to memory of 2944	1476	omsecor.exe	34
PID 2944 wrote to memory of 1640	2944	omsecor.exe	35
PID 2944 wrote to memory of 1640	2944	omsecor.exe	35
PID 2944 wrote to memory of 1640	2944	omsecor.exe	35
PID 2944 wrote to memory of 1640	2944	omsecor.exe	35
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36
PID 1640 wrote to memory of 1408	1640	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe
"C:\Users\Admin\AppData\Local\Temp\c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe
  C:\Users\Admin\AppData\Local\Temp\c8295a01550f82fec37690d20fb0496f9ba678d0c13d9ecf1cb8ae6f15fada1f.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1476
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
78fe6209b79c5df0b373590c909a4ded

SHA1
5ae4003cd2187a5a62cc7df72ed4ff26b15fd501

SHA256
8d084874f12d6db01d0ca24417962798d3341099121624e4bac2b2bdc61b24b8

SHA512
0765b7837a8e4f9236c052f658af4a700a9504fe1892e24710c9a7ce7768075af4e5ca9ce749090d7835b12aaee45386b0290b5ed8153acfd9d82441692eebe1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7dcdf89b830e60af10e56315f8ddadb1

SHA1
b38521286b7cfe998de3bc4246444a8db8b23942

SHA256
814d321f820b57984b14218b957cc40bbebb80279fdb5245b2cda6012dba6a22

SHA512
8bf1264f9a3314a4436f206b301da8d5b8b6abb000cced047bfe071afb8d41e1aedb85312037cf6ad5aa439634f62f7bbc2fe349d13ea31fd8c10783a700075a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d8ecdba2da50a89dc4a3edfd0f9b2146

SHA1
353174d55d013da1a643f2a4ad23c61610917a33

SHA256
07008c366e5573b9f8103568e83d97666d1bdbae4b33339c4c586b8fccc559e1

SHA512
8f9e0be41dc6fdcf10307eb597f4ea6fb790a4835ccc74939b02917b820c70c146c5e11ffd1cbdae8cf4e8199a26cd29d5d78f17d04055a77c33747f4de7c706

Download Submit
memory/432-11-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/432-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/432-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/844-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/844-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/844-25-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1408-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1408-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1476-68-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1640-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1640-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2348-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2348-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2348-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2348-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-58-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2800-48-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2800-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2944-73-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download