neconyd | 61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2

Analysis

max time kernel
114s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/02/2025, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
Size

96KB
MD5

af489875957b7980de9e7b9e657c6c20
SHA1

6e7dd8707e18624e41a4d2f57da6d905d940c970
SHA256

61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2
SHA512

e453687d958a9895b6f82bc221ff5ac7346c2a5175003c213d561a2306995e16a45b6ca2b282807a717abe4dd7ac749b262f73346157400f25d07a30cd38d72a
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:OGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2936	omsecor.exe
2920	omsecor.exe
2184	omsecor.exe
484	omsecor.exe
3052	omsecor.exe
3040	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2688	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
2688	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
2936	omsecor.exe
2920	omsecor.exe
2920	omsecor.exe
484	omsecor.exe
484	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2688	2208	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	30
PID 2936 set thread context of 2920	2936	omsecor.exe	32
PID 2184 set thread context of 484	2184	omsecor.exe	35
PID 3052 set thread context of 3040	3052	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2688	2208	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	30
PID 2208 wrote to memory of 2688	2208	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	30
PID 2208 wrote to memory of 2688	2208	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	30
PID 2208 wrote to memory of 2688	2208	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	30
PID 2208 wrote to memory of 2688	2208	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	30
PID 2208 wrote to memory of 2688	2208	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	30
PID 2688 wrote to memory of 2936	2688	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	31
PID 2688 wrote to memory of 2936	2688	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	31
PID 2688 wrote to memory of 2936	2688	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	31
PID 2688 wrote to memory of 2936	2688	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	31
PID 2936 wrote to memory of 2920	2936	omsecor.exe	32
PID 2936 wrote to memory of 2920	2936	omsecor.exe	32
PID 2936 wrote to memory of 2920	2936	omsecor.exe	32
PID 2936 wrote to memory of 2920	2936	omsecor.exe	32
PID 2936 wrote to memory of 2920	2936	omsecor.exe	32
PID 2936 wrote to memory of 2920	2936	omsecor.exe	32
PID 2920 wrote to memory of 2184	2920	omsecor.exe	34
PID 2920 wrote to memory of 2184	2920	omsecor.exe	34
PID 2920 wrote to memory of 2184	2920	omsecor.exe	34
PID 2920 wrote to memory of 2184	2920	omsecor.exe	34
PID 2184 wrote to memory of 484	2184	omsecor.exe	35
PID 2184 wrote to memory of 484	2184	omsecor.exe	35
PID 2184 wrote to memory of 484	2184	omsecor.exe	35
PID 2184 wrote to memory of 484	2184	omsecor.exe	35
PID 2184 wrote to memory of 484	2184	omsecor.exe	35
PID 2184 wrote to memory of 484	2184	omsecor.exe	35
PID 484 wrote to memory of 3052	484	omsecor.exe	36
PID 484 wrote to memory of 3052	484	omsecor.exe	36
PID 484 wrote to memory of 3052	484	omsecor.exe	36
PID 484 wrote to memory of 3052	484	omsecor.exe	36
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37
PID 3052 wrote to memory of 3040	3052	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
"C:\Users\Admin\AppData\Local\Temp\61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
  C:\Users\Admin\AppData\Local\Temp\61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
27f12c55f5c045eb25f507b398f93861

SHA1
0a2254f9e1b26b824695ed0c4da2846133265773

SHA256
37b2787fddca3cd83baea306d2b3b77be0ee00f670070dd09b8a8bc2e5b0da62

SHA512
8d87e78bff96014a5ec8c7587e4b13a251295816099987ee0b91c1eca7dfad647c6957e082103c6cd8056e8885f891e58b642e8851ca76a3da5904570b2a9c42

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
eec592da5515112b2443cf44d00f1777

SHA1
efcd98ce6e171423892f5648c65e095fc288ec41

SHA256
9bc66f36dc0215a7cfb42679920799dbd82d5dea9b05706662b3e540b9a0b663

SHA512
c460197e7379f73aecde2aca1c9bc7ecb17667e95677b3ce687942f3a84d96f85910e6694bef52eafc928e33773c693555b6672e8e915f1e21f298297149884b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
5870e9fd1876a31536dcaf5f2b4ccf49

SHA1
32ed348aa78f952ab5ae6d9027eedd44c995759e

SHA256
ae85822f8e23ae8c1c9067253335dda1e8bba6d8fa9c0f15a8d0db1f4505c32d

SHA512
0f3d8682d0d82874614c881551dbb4e0ed3cc45ffb1e66fd6bac173935afbfb9934026621793907f7638e691fbf244c0e5f2d4c808bf09bcb96494898adee9ff

Download Submit
memory/484-78-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/484-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2184-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2184-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2208-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2208-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2688-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2688-19-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2688-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2688-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2688-12-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2688-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2920-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2920-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2920-53-0x00000000005B0000-0x00000000005D3000-memory.dmp

Filesize
140KB

Download
memory/2920-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2920-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2920-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2936-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3040-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download