neconyd | e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490

Analysis

max time kernel
110s
max time network
99s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/02/2025, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe
Size

96KB
MD5

f7c87d40481ea749f35736123b2b31f0
SHA1

4e45a3c3db722d6dad1f8b5f0bb4bc48a0c4558f
SHA256

e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490
SHA512

84f1e151ab663d748156fca57398d51120d69e43b1a3e13a36f271d44087dfd9d6cc33aa513aa01f2a7e6975119016f1a28315a33b5df5828a6a49d79b46187d
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxD:OGs8cd8eXlYairZYqMddH13D

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1596	omsecor.exe
2976	omsecor.exe
2704	omsecor.exe
628	omsecor.exe
2952	omsecor.exe
2268	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1220	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe
1220	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe
1596	omsecor.exe
2976	omsecor.exe
2976	omsecor.exe
628	omsecor.exe
628	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 1220	2980	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe	30
PID 1596 set thread context of 2976	1596	omsecor.exe	32
PID 2704 set thread context of 628	2704	omsecor.exe	36
PID 2952 set thread context of 2268	2952	omsecor.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1220	2980	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe	30
PID 2980 wrote to memory of 1220	2980	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe	30
PID 2980 wrote to memory of 1220	2980	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe	30
PID 2980 wrote to memory of 1220	2980	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe	30
PID 2980 wrote to memory of 1220	2980	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe	30
PID 2980 wrote to memory of 1220	2980	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe	30
PID 1220 wrote to memory of 1596	1220	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe	31
PID 1220 wrote to memory of 1596	1220	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe	31
PID 1220 wrote to memory of 1596	1220	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe	31
PID 1220 wrote to memory of 1596	1220	e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe	31
PID 1596 wrote to memory of 2976	1596	omsecor.exe	32
PID 1596 wrote to memory of 2976	1596	omsecor.exe	32
PID 1596 wrote to memory of 2976	1596	omsecor.exe	32
PID 1596 wrote to memory of 2976	1596	omsecor.exe	32
PID 1596 wrote to memory of 2976	1596	omsecor.exe	32
PID 1596 wrote to memory of 2976	1596	omsecor.exe	32
PID 2976 wrote to memory of 2704	2976	omsecor.exe	35
PID 2976 wrote to memory of 2704	2976	omsecor.exe	35
PID 2976 wrote to memory of 2704	2976	omsecor.exe	35
PID 2976 wrote to memory of 2704	2976	omsecor.exe	35
PID 2704 wrote to memory of 628	2704	omsecor.exe	36
PID 2704 wrote to memory of 628	2704	omsecor.exe	36
PID 2704 wrote to memory of 628	2704	omsecor.exe	36
PID 2704 wrote to memory of 628	2704	omsecor.exe	36
PID 2704 wrote to memory of 628	2704	omsecor.exe	36
PID 2704 wrote to memory of 628	2704	omsecor.exe	36
PID 628 wrote to memory of 2952	628	omsecor.exe	37
PID 628 wrote to memory of 2952	628	omsecor.exe	37
PID 628 wrote to memory of 2952	628	omsecor.exe	37
PID 628 wrote to memory of 2952	628	omsecor.exe	37
PID 2952 wrote to memory of 2268	2952	omsecor.exe	38
PID 2952 wrote to memory of 2268	2952	omsecor.exe	38
PID 2952 wrote to memory of 2268	2952	omsecor.exe	38
PID 2952 wrote to memory of 2268	2952	omsecor.exe	38
PID 2952 wrote to memory of 2268	2952	omsecor.exe	38
PID 2952 wrote to memory of 2268	2952	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe
"C:\Users\Admin\AppData\Local\Temp\e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe
  C:\Users\Admin\AppData\Local\Temp\e1bdbb11517c6be9757df19f9c73c38b96a81011033efc164aa637f0787f4490N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b6d43e43d86af0ad48d86c7411ca6f47

SHA1
036f88bc770c135fd257eeb5ca2c1f6e00d491e0

SHA256
e46a0895bbf94b9ea0d7bdace35ca8a48132a118f43a2def9edb96f89e27c8a3

SHA512
8fed8a07131b6ecc363f9950edf1287150d1181593b0dfdc33f85f5eade07593a360355e1129dc98f54ec582346dbaf4987d87a23204a245676f09595b01140f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
df203a02c26e35d320a13f0c1fa41f5c

SHA1
7d45bfe8192e49b4684a76db99424d0dc755e329

SHA256
b54012fa6744a64dcc9bfd5791af7c0957877d0f2dd3304d256223cc6e34a01b

SHA512
9e82c01ceed93b1fd1c7f505b7c55edee32c44fec4dbdbda10cface668ab12450dc1f3e5df60e5a639deadec64264ea58f3dfde9ad179f993dff600c1758b044

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
20d3ab431b8dd22e859062290844013a

SHA1
fc9aa8c6ccdae2e18e8062cb05df402b3d4e515a

SHA256
88c696d1701f40d0af4b3f7afed1e55549f2340bb1916c94d1454e64c8050550

SHA512
203793253242457734b3715db478bb2f9b5efa7122292b8809f2f654c64613747db7c5339c3474258531e1352b365dd0528299d308284f8752406cb4c5953caf

Download Submit
memory/628-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1220-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1220-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1220-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1220-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1220-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1596-24-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/1596-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2268-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2704-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2976-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-47-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2976-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2980-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2980-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download