neconyd | 49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
17/02/2025, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe
Size

134KB
MD5

55ab41454b671adae6bd2eaae46fda61
SHA1

c5219e052ebe0e437b0df1eb12ac549e61346d3f
SHA256

49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac
SHA512

e0e49d8a6c0083448ae299ad9dd0035ad796dbbbbb445e02d7183ed9823d97cba5576451d8099add4c9eaaf47133367c428cc97bea89eb90a5a500c23e3ebe93
SSDEEP

1536:gDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7P:WiRTeH0NqAW6J6f1tqF6dngNmaZC7ME

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2096	omsecor.exe
2300	omsecor.exe
1740	omsecor.exe
1760	omsecor.exe
1764	omsecor.exe
3020	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2108	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe
2108	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe
2096	omsecor.exe
2300	omsecor.exe
2300	omsecor.exe
1760	omsecor.exe
1760	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 2108	2612	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe	30
PID 2096 set thread context of 2300	2096	omsecor.exe	32
PID 1740 set thread context of 1760	1740	omsecor.exe	36
PID 1764 set thread context of 3020	1764	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2108	2612	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe	30
PID 2612 wrote to memory of 2108	2612	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe	30
PID 2612 wrote to memory of 2108	2612	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe	30
PID 2612 wrote to memory of 2108	2612	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe	30
PID 2612 wrote to memory of 2108	2612	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe	30
PID 2612 wrote to memory of 2108	2612	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe	30
PID 2108 wrote to memory of 2096	2108	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe	31
PID 2108 wrote to memory of 2096	2108	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe	31
PID 2108 wrote to memory of 2096	2108	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe	31
PID 2108 wrote to memory of 2096	2108	49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe	31
PID 2096 wrote to memory of 2300	2096	omsecor.exe	32
PID 2096 wrote to memory of 2300	2096	omsecor.exe	32
PID 2096 wrote to memory of 2300	2096	omsecor.exe	32
PID 2096 wrote to memory of 2300	2096	omsecor.exe	32
PID 2096 wrote to memory of 2300	2096	omsecor.exe	32
PID 2096 wrote to memory of 2300	2096	omsecor.exe	32
PID 2300 wrote to memory of 1740	2300	omsecor.exe	35
PID 2300 wrote to memory of 1740	2300	omsecor.exe	35
PID 2300 wrote to memory of 1740	2300	omsecor.exe	35
PID 2300 wrote to memory of 1740	2300	omsecor.exe	35
PID 1740 wrote to memory of 1760	1740	omsecor.exe	36
PID 1740 wrote to memory of 1760	1740	omsecor.exe	36
PID 1740 wrote to memory of 1760	1740	omsecor.exe	36
PID 1740 wrote to memory of 1760	1740	omsecor.exe	36
PID 1740 wrote to memory of 1760	1740	omsecor.exe	36
PID 1740 wrote to memory of 1760	1740	omsecor.exe	36
PID 1760 wrote to memory of 1764	1760	omsecor.exe	37
PID 1760 wrote to memory of 1764	1760	omsecor.exe	37
PID 1760 wrote to memory of 1764	1760	omsecor.exe	37
PID 1760 wrote to memory of 1764	1760	omsecor.exe	37
PID 1764 wrote to memory of 3020	1764	omsecor.exe	38
PID 1764 wrote to memory of 3020	1764	omsecor.exe	38
PID 1764 wrote to memory of 3020	1764	omsecor.exe	38
PID 1764 wrote to memory of 3020	1764	omsecor.exe	38
PID 1764 wrote to memory of 3020	1764	omsecor.exe	38
PID 1764 wrote to memory of 3020	1764	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe
"C:\Users\Admin\AppData\Local\Temp\49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe
  C:\Users\Admin\AppData\Local\Temp\49d7a8025335f2ca2eb85d72871f58e13fd7da958940a71dda2b04765e1d64ac.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
01eb89242938d6e3af7af71f3407d3c8

SHA1
04e2e691bf3f2690fbc832882420ca333fdb96e2

SHA256
6b9e43706d77f2f5ced4988f4fd6f72bc36cad6818545cd9003e8570f2d7071f

SHA512
fbe8cb821edcd16d0ce440f26c8d1ce657815e15b6aeec8453584b794878fa07ffa0c72954729fcb772fdda2cca2b1b9be215bfb616e545f96d8ce0ae8086337

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
451b2e6615a00c750cae7630a1dffd35

SHA1
92ca21e704f6c0da9cef4ddb1c15cb541036dbfd

SHA256
26ca1081db6854f094c841eecee6612a2ff071f47f60a4fbd976449350b0628f

SHA512
641a42e40be2e9c30f92e80cd6e0621db55019b5647cd5ef13044540af7a271b8f7169c5a38fa924e5519f6471d4a4fd3f65e8c262666a40daf2ec7914dc7e82

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
4f2536d44a3579d75241674b3d3a249d

SHA1
0f6af167c2d1fead7d02629d68192f524ffcd201

SHA256
b8a13bb095d08682a4f086b37b07f7a6fc053fcff35e1c8c2687a2f53e29027f

SHA512
31dafff330edfd9017e74f8cd724d0580969d810548e4fd30ed73d8f85871f7c71ac13f161b3e8987a2bc6c997e03c3d6c3bba0545e5337e1f3204142dfe3060

Download Submit
memory/1740-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1760-66-0x0000000000430000-0x0000000000454000-memory.dmp

Filesize
144KB

Download
memory/1764-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1764-75-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2096-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2108-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2108-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-14-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/2300-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2300-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2300-44-0x0000000000440000-0x0000000000464000-memory.dmp

Filesize
144KB

Download
memory/2300-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2300-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2300-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2612-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3020-84-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3020-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download