neconyd | fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/02/2025, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe
Size

96KB
MD5

6c0f63486de5a850b73bfe0186d7cf5e
SHA1

28de141fb65c5138de9d49396b9000c27763089a
SHA256

fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0
SHA512

2ba784486444875b892da629a66a68679874988330bd1a8d5e42fe894d36dee16b5a0e1fa1ec331fb84e8772102e5ee21dc192e4ff167f30f5e0e74483540ea0
SSDEEP

1536:onAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:oGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2528	omsecor.exe
2592	omsecor.exe
752	omsecor.exe
840	omsecor.exe
1164	omsecor.exe
2188	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1544	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe
1544	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe
2528	omsecor.exe
2592	omsecor.exe
2592	omsecor.exe
840	omsecor.exe
840	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2516 set thread context of 1544	2516	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe	30
PID 2528 set thread context of 2592	2528	omsecor.exe	32
PID 752 set thread context of 840	752	omsecor.exe	36
PID 1164 set thread context of 2188	1164	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1544	2516	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe	30
PID 2516 wrote to memory of 1544	2516	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe	30
PID 2516 wrote to memory of 1544	2516	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe	30
PID 2516 wrote to memory of 1544	2516	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe	30
PID 2516 wrote to memory of 1544	2516	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe	30
PID 2516 wrote to memory of 1544	2516	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe	30
PID 1544 wrote to memory of 2528	1544	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe	31
PID 1544 wrote to memory of 2528	1544	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe	31
PID 1544 wrote to memory of 2528	1544	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe	31
PID 1544 wrote to memory of 2528	1544	fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe	31
PID 2528 wrote to memory of 2592	2528	omsecor.exe	32
PID 2528 wrote to memory of 2592	2528	omsecor.exe	32
PID 2528 wrote to memory of 2592	2528	omsecor.exe	32
PID 2528 wrote to memory of 2592	2528	omsecor.exe	32
PID 2528 wrote to memory of 2592	2528	omsecor.exe	32
PID 2528 wrote to memory of 2592	2528	omsecor.exe	32
PID 2592 wrote to memory of 752	2592	omsecor.exe	35
PID 2592 wrote to memory of 752	2592	omsecor.exe	35
PID 2592 wrote to memory of 752	2592	omsecor.exe	35
PID 2592 wrote to memory of 752	2592	omsecor.exe	35
PID 752 wrote to memory of 840	752	omsecor.exe	36
PID 752 wrote to memory of 840	752	omsecor.exe	36
PID 752 wrote to memory of 840	752	omsecor.exe	36
PID 752 wrote to memory of 840	752	omsecor.exe	36
PID 752 wrote to memory of 840	752	omsecor.exe	36
PID 752 wrote to memory of 840	752	omsecor.exe	36
PID 840 wrote to memory of 1164	840	omsecor.exe	37
PID 840 wrote to memory of 1164	840	omsecor.exe	37
PID 840 wrote to memory of 1164	840	omsecor.exe	37
PID 840 wrote to memory of 1164	840	omsecor.exe	37
PID 1164 wrote to memory of 2188	1164	omsecor.exe	38
PID 1164 wrote to memory of 2188	1164	omsecor.exe	38
PID 1164 wrote to memory of 2188	1164	omsecor.exe	38
PID 1164 wrote to memory of 2188	1164	omsecor.exe	38
PID 1164 wrote to memory of 2188	1164	omsecor.exe	38
PID 1164 wrote to memory of 2188	1164	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe
"C:\Users\Admin\AppData\Local\Temp\fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe
  C:\Users\Admin\AppData\Local\Temp\fc4eda35323a93c3788c195363ef7bb73640b1a20ddca6a5ac6b67946a4d9bb0.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:752
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1f0deeb096f2cf2e434f0e42fee9bfba

SHA1
04a0258c27c7e9c587dd733edc4f019926522e42

SHA256
454c1470ee0cd57060896b37d9413d304244eeac1ed91b929d2f46dcc326a9b1

SHA512
49f11f3c1c7e1e2ecec16560aa2d1afdfec1273fc63a193a4a946773038b86a2e776c0dba3b0f82b9215b2c404094c01af8082056960f0988e2b7ffbf102a6a7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
52a2d4df9398cd3c5f5321f32812d021

SHA1
0e2e63e62078fa1b4894c6d9d7d54b1b6935ba12

SHA256
c460f0fe0252d4ab7124fade23265165853816b720f53146cf8114483cb7d4d8

SHA512
9350e315fea6c0904316f7116fff80776d52b4431cda061ef499acc86b0cb2c55d4bae8adba94f616b5ee27e0ca8e0c3fad30007e180c86fe71aeb3249d9b440

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
8188d2bef7160f4b87544c5decc54412

SHA1
e5f2ec580b6134ff1f0e32e99c9ba68406e4345f

SHA256
6b32e7261f35d207fda0d2ead1c9e13ffbeddee2f8c9a4c0eb839b88d40d086c

SHA512
c08a70129a8fb625e1cd0625f1c6e6f7826a064721d7ed6734c25a4c3851df12ad0f4c66dac19d8311b9871f1fa6e815d70226dd578601ac7c183148e9bcf170

Download Submit
memory/752-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/840-75-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/840-78-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/1164-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1164-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1544-14-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/1544-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1544-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1544-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1544-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1544-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2188-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2188-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2516-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2516-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2528-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2528-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2592-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-47-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download
memory/2592-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download