neconyd | 2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245

Analysis

max time kernel
113s
max time network
103s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
16/02/2025, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe
Size

96KB
MD5

d45151a076145f6ebc39bc422b3ec890
SHA1

35790c71e91a457ccc2f635d51127b61f6dd5080
SHA256

2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245
SHA512

c6278b8cb886ec3dd01ecc83dd8e51fb4946ae7bf74696b6d2b123cfc761404f7a203ce92f89ae516f4d4d27accbe69af8f748472e0982f6023eb2c4e7f1fcec
SSDEEP

1536:GnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:GGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2480	omsecor.exe
2476	omsecor.exe
1840	omsecor.exe
1448	omsecor.exe
668	omsecor.exe
1628	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2484	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe
2484	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe
2480	omsecor.exe
2476	omsecor.exe
2476	omsecor.exe
1448	omsecor.exe
1448	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 2484	1768	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe	28
PID 2480 set thread context of 2476	2480	omsecor.exe	30
PID 1840 set thread context of 1448	1840	omsecor.exe	35
PID 668 set thread context of 1628	668	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2484	1768	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe	28
PID 1768 wrote to memory of 2484	1768	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe	28
PID 1768 wrote to memory of 2484	1768	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe	28
PID 1768 wrote to memory of 2484	1768	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe	28
PID 1768 wrote to memory of 2484	1768	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe	28
PID 1768 wrote to memory of 2484	1768	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe	28
PID 2484 wrote to memory of 2480	2484	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe	29
PID 2484 wrote to memory of 2480	2484	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe	29
PID 2484 wrote to memory of 2480	2484	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe	29
PID 2484 wrote to memory of 2480	2484	2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe	29
PID 2480 wrote to memory of 2476	2480	omsecor.exe	30
PID 2480 wrote to memory of 2476	2480	omsecor.exe	30
PID 2480 wrote to memory of 2476	2480	omsecor.exe	30
PID 2480 wrote to memory of 2476	2480	omsecor.exe	30
PID 2480 wrote to memory of 2476	2480	omsecor.exe	30
PID 2480 wrote to memory of 2476	2480	omsecor.exe	30
PID 2476 wrote to memory of 1840	2476	omsecor.exe	34
PID 2476 wrote to memory of 1840	2476	omsecor.exe	34
PID 2476 wrote to memory of 1840	2476	omsecor.exe	34
PID 2476 wrote to memory of 1840	2476	omsecor.exe	34
PID 1840 wrote to memory of 1448	1840	omsecor.exe	35
PID 1840 wrote to memory of 1448	1840	omsecor.exe	35
PID 1840 wrote to memory of 1448	1840	omsecor.exe	35
PID 1840 wrote to memory of 1448	1840	omsecor.exe	35
PID 1840 wrote to memory of 1448	1840	omsecor.exe	35
PID 1840 wrote to memory of 1448	1840	omsecor.exe	35
PID 1448 wrote to memory of 668	1448	omsecor.exe	36
PID 1448 wrote to memory of 668	1448	omsecor.exe	36
PID 1448 wrote to memory of 668	1448	omsecor.exe	36
PID 1448 wrote to memory of 668	1448	omsecor.exe	36
PID 668 wrote to memory of 1628	668	omsecor.exe	37
PID 668 wrote to memory of 1628	668	omsecor.exe	37
PID 668 wrote to memory of 1628	668	omsecor.exe	37
PID 668 wrote to memory of 1628	668	omsecor.exe	37
PID 668 wrote to memory of 1628	668	omsecor.exe	37
PID 668 wrote to memory of 1628	668	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe
"C:\Users\Admin\AppData\Local\Temp\2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe
  C:\Users\Admin\AppData\Local\Temp\2d0f540894feefe53186ebf6ae7dbfe2a94e5a3ae82c30d68e29f321774b2245N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9a51317a5588d3b96bd385c56ff91495

SHA1
8484d402cb3dedfc43f50aec2c47a2613532aca1

SHA256
fd7aacede1bdf438eaae3d795af4f893a8718d28a4388a5cbc782362fbf5c3fb

SHA512
d5604efdf0fb81a94dbcc015c33fd8c422e7e1551e9673c0a61db656c86dc6f4167ae3c9b1562f1fba1ba94ce489968ab683ff9a142096ccec98290ad6fd00d0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
395fb656f22800f80c91bde7134f2e96

SHA1
87e0ce862922075e58583b52379ce865b423cdd7

SHA256
635b13d30c75463e3ca615aa23f2251622eff32875d52775a38ffffdec9da2d2

SHA512
6fd6d06474afd36a0648fc0a2988e226861f5f200df5402bb97fbe13706f80f349427fb1bcbd79a80a85e613bc4931bcd0b84cbf50076cd0d9d78c8ccb33d9f5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2675f4de21d5fe9a37b9ce214b443237

SHA1
77751c2ff0ae05a8838d49a0c195de4b60728305

SHA256
c41b3a7ce9d783464705cb5881be3fe9ad2f6af47d9180abf3ad2cec6107cb45

SHA512
eefcc5ee57c06257554f91c2261767671829a0062841f0d5855d53f2f129d8c32c7c593025625aebf280142a4249d3a5d621296cd85cd379af5b19f4531e49e2

Download Submit
memory/668-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/668-83-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1448-80-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1448-81-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1628-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1768-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1768-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1840-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1840-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2476-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-49-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2476-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-55-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2476-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2480-24-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2480-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2484-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2484-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2484-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2484-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2484-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download