neconyd | ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/02/2025, 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe
Size

96KB
MD5

713f62cde15ced26d03a71e69003d150
SHA1

6bb4418e45e1457529a921571d7a42f1dc3473f7
SHA256

ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a
SHA512

7efd5b7c76cfbcf68055fd390cad609ad83f2b1c0bb1013554f5650b950cded5c0ba25ad4a4aea9c8f6ebf34028e86fc5290fc5319267c6c494aa268a76224ef
SSDEEP

1536:lnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:lGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1832	omsecor.exe
1052	omsecor.exe
2292	omsecor.exe
1352	omsecor.exe
2248	omsecor.exe
864	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2212	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe
2212	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe
1832	omsecor.exe
1052	omsecor.exe
1052	omsecor.exe
1352	omsecor.exe
1352	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 2212	2828	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe	28
PID 1832 set thread context of 1052	1832	omsecor.exe	30
PID 2292 set thread context of 1352	2292	omsecor.exe	35
PID 2248 set thread context of 864	2248	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2212	2828	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe	28
PID 2828 wrote to memory of 2212	2828	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe	28
PID 2828 wrote to memory of 2212	2828	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe	28
PID 2828 wrote to memory of 2212	2828	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe	28
PID 2828 wrote to memory of 2212	2828	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe	28
PID 2828 wrote to memory of 2212	2828	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe	28
PID 2212 wrote to memory of 1832	2212	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe	29
PID 2212 wrote to memory of 1832	2212	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe	29
PID 2212 wrote to memory of 1832	2212	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe	29
PID 2212 wrote to memory of 1832	2212	ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe	29
PID 1832 wrote to memory of 1052	1832	omsecor.exe	30
PID 1832 wrote to memory of 1052	1832	omsecor.exe	30
PID 1832 wrote to memory of 1052	1832	omsecor.exe	30
PID 1832 wrote to memory of 1052	1832	omsecor.exe	30
PID 1832 wrote to memory of 1052	1832	omsecor.exe	30
PID 1832 wrote to memory of 1052	1832	omsecor.exe	30
PID 1052 wrote to memory of 2292	1052	omsecor.exe	34
PID 1052 wrote to memory of 2292	1052	omsecor.exe	34
PID 1052 wrote to memory of 2292	1052	omsecor.exe	34
PID 1052 wrote to memory of 2292	1052	omsecor.exe	34
PID 2292 wrote to memory of 1352	2292	omsecor.exe	35
PID 2292 wrote to memory of 1352	2292	omsecor.exe	35
PID 2292 wrote to memory of 1352	2292	omsecor.exe	35
PID 2292 wrote to memory of 1352	2292	omsecor.exe	35
PID 2292 wrote to memory of 1352	2292	omsecor.exe	35
PID 2292 wrote to memory of 1352	2292	omsecor.exe	35
PID 1352 wrote to memory of 2248	1352	omsecor.exe	36
PID 1352 wrote to memory of 2248	1352	omsecor.exe	36
PID 1352 wrote to memory of 2248	1352	omsecor.exe	36
PID 1352 wrote to memory of 2248	1352	omsecor.exe	36
PID 2248 wrote to memory of 864	2248	omsecor.exe	37
PID 2248 wrote to memory of 864	2248	omsecor.exe	37
PID 2248 wrote to memory of 864	2248	omsecor.exe	37
PID 2248 wrote to memory of 864	2248	omsecor.exe	37
PID 2248 wrote to memory of 864	2248	omsecor.exe	37
PID 2248 wrote to memory of 864	2248	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe
"C:\Users\Admin\AppData\Local\Temp\ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe
  C:\Users\Admin\AppData\Local\Temp\ca0caabaa2e88b05ada3eea30c29630edb60544f89ffdadc4462aa1fa3c3a87a.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0a7739e1d238be4922eddf4834455988

SHA1
da648c0d197c6dbe3d7825efad976d6825cdbecb

SHA256
83c3b7b60f03f1e62da975e0e13e3d9b6ad54ab7aceb74a833c6c1cf9277442e

SHA512
4e6f086c9bbdfbd21de1bb694cb6bae2da28241e4e656c7853f21472259e78053ead259f9ae1340fdc63166eaff0928365d6a19b697a0eea5b18eb3b01e73e97

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b4ccd5d90e61cb57a30f30d1ca9727b3

SHA1
818d4cefb4965bb32537d5bb9c01be18d8d53679

SHA256
948ec8d3ea83f1682ede9408f987c47c0701ba7fc9fc617c7965d827b3376cbc

SHA512
6d6900abcc449ad8614e5f8966bf59862e4418238b1caaa9d74a5473189887b4bad163b395b3870a3baa7514ce1048563ccf2024e5846dcd22fd3e3e0b859235

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
93bbacf07d0505a8f492824ae156ae14

SHA1
040549005aa9a711114f953cbadd873edd817daf

SHA256
3738d8e1627803e29248685881f5dc6fc2c78c0a10fd0699674c7451e9024ee1

SHA512
74efb552b2e3cda7d144ce175cfaeec279e8758bdb2e35dc8a31b7ab38925c1ae825a57d012207034728974b60d08355aa28e1f6d7eae6fa20ddfaf3765247b4

Download Submit
memory/864-97-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/864-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1052-57-0x0000000000330000-0x0000000000353000-memory.dmp

Filesize
140KB

Download
memory/1052-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1052-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1052-49-0x0000000000330000-0x0000000000353000-memory.dmp

Filesize
140KB

Download
memory/1052-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1052-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1052-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1352-78-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1352-77-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1832-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1832-26-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1832-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2212-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2212-19-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/2212-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2212-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2212-21-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/2212-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2212-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2248-84-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2248-92-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2292-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2292-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2828-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2828-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download