neconyd | f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
Size

134KB
MD5

40f791e02669d58d787e4829aa569385
SHA1

6c7ba5f8dba69d428587efc45d567692fc8b2550
SHA256

f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d
SHA512

4b5f310d676da4179164812771154243de44bef4f4c3f2b4fc7a1ab52f7d7a33e7902114fb0be66641837c6a141e971e0b844d6d5e4f8c2c45d65a2b7214325a
SSDEEP

1536:yDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi9:kiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4724	omsecor.exe
3984	omsecor.exe
3288	omsecor.exe
3332	omsecor.exe
1680	omsecor.exe
1632	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3808 set thread context of 3608	3808	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	82
PID 4724 set thread context of 3984	4724	omsecor.exe	87
PID 3288 set thread context of 3332	3288	omsecor.exe	100
PID 1680 set thread context of 1632	1680	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1600	3808	WerFault.exe	81
4124	4724	WerFault.exe	85
3936	3288	WerFault.exe	99
3304	1680	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 3608	3808	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	82
PID 3808 wrote to memory of 3608	3808	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	82
PID 3808 wrote to memory of 3608	3808	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	82
PID 3808 wrote to memory of 3608	3808	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	82
PID 3808 wrote to memory of 3608	3808	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	82
PID 3608 wrote to memory of 4724	3608	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	85
PID 3608 wrote to memory of 4724	3608	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	85
PID 3608 wrote to memory of 4724	3608	f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe	85
PID 4724 wrote to memory of 3984	4724	omsecor.exe	87
PID 4724 wrote to memory of 3984	4724	omsecor.exe	87
PID 4724 wrote to memory of 3984	4724	omsecor.exe	87
PID 4724 wrote to memory of 3984	4724	omsecor.exe	87
PID 4724 wrote to memory of 3984	4724	omsecor.exe	87
PID 3984 wrote to memory of 3288	3984	omsecor.exe	99
PID 3984 wrote to memory of 3288	3984	omsecor.exe	99
PID 3984 wrote to memory of 3288	3984	omsecor.exe	99
PID 3288 wrote to memory of 3332	3288	omsecor.exe	100
PID 3288 wrote to memory of 3332	3288	omsecor.exe	100
PID 3288 wrote to memory of 3332	3288	omsecor.exe	100
PID 3288 wrote to memory of 3332	3288	omsecor.exe	100
PID 3288 wrote to memory of 3332	3288	omsecor.exe	100
PID 3332 wrote to memory of 1680	3332	omsecor.exe	102
PID 3332 wrote to memory of 1680	3332	omsecor.exe	102
PID 3332 wrote to memory of 1680	3332	omsecor.exe	102
PID 1680 wrote to memory of 1632	1680	omsecor.exe	104
PID 1680 wrote to memory of 1632	1680	omsecor.exe	104
PID 1680 wrote to memory of 1632	1680	omsecor.exe	104
PID 1680 wrote to memory of 1632	1680	omsecor.exe	104
PID 1680 wrote to memory of 1632	1680	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
"C:\Users\Admin\AppData\Local\Temp\f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Users\Admin\AppData\Local\Temp\f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
  C:\Users\Admin\AppData\Local\Temp\f63be088119cae28086e3bfbd2982bbc5e306cf885ff85deaafbef604645104d.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3288
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 256
        8⤵
        Program crash
        
        PID:3304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 292
        6⤵
        Program crash
        
        PID:3936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 252
      4⤵
      Program crash
      PID:4124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 292
  2⤵
  - Program crash
  PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3808 -ip 3808
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 4724
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3288 -ip 3288
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1680 -ip 1680
1⤵
PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
094e61f351879d92d8f8214b5af1507e

SHA1
0c99b9c89daeb1a5a762e61e26468208a4922b6c

SHA256
24991aba26272f6497ad67fadcc37ef3855fe50ae3190750f253d54234c3e7a3

SHA512
d5bca53c8e33d6adc8e81179887d2066fe2b332f33a7a8cfb54fc0340bac97a83c9fb38b056f3cf0fb85e8cbfd32e5dc3dbdca90630732ff3778ddded06a9eed

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f1ddf165c47aa84cd0c89ade1304e44e

SHA1
30c99619fecaf5f47bb15076085372cd531b2b98

SHA256
21500030b6005e0331bd2db599f5b28266cbe13fe3fabc5e35d0fceeed8a6ae0

SHA512
47c715033ea8c036413af05808069fe377a584ab03bcd9709584c1a57e6992fc86e1e1fda1998684109e447091e2fb7174abb050f8ea6c575014a1823d5291ca

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
7c1a534fdf6f7dc576016b284d65446d

SHA1
4f6a0d22d191fe28b268960d374c4557386fcee2

SHA256
c5dad5dab4dd8a3032f8395f3f9ff1b08e6d84c934ed1dc339a1f3cae90a6c3f

SHA512
f81c3195dfa36bfb79a4d9f34dc29a11b1864658a3b1baea977c696b4a98f92cf95b8f3435e1861654302444843cf4aa5d8b646272edcc78263145ab5f99108b

Download Submit
memory/1632-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1632-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1632-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1632-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1680-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1680-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3288-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3288-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3332-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3332-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3332-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3608-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3608-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3608-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3608-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3808-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3808-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3984-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3984-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3984-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3984-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3984-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3984-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3984-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4724-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4724-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download