neconyd | ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
Size

96KB
MD5

3e4c1ce6813953cf9e9f095d431e7a60
SHA1

57fca638667c00b14f0d84dd33e28675e939ecb2
SHA256

ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591
SHA512

af043995dacd855dec144f2a94a950cd3def22a3f0a974de7bedd31a0b9ec7e998a0cc63827735717d6f4e03f3bb2ee0580209e6125fb0ff5e7b03357fd4c2bf
SSDEEP

1536:knAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:kGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3688	omsecor.exe
2144	omsecor.exe
624	omsecor.exe
3096	omsecor.exe
5112	omsecor.exe
396	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 1768	2124	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	85
PID 3688 set thread context of 2144	3688	omsecor.exe	89
PID 624 set thread context of 3096	624	omsecor.exe	110
PID 5112 set thread context of 396	5112	omsecor.exe	114

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3136	2124	WerFault.exe	84
2088	3688	WerFault.exe	87
540	624	WerFault.exe	109
3872	5112	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1768	2124	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	85
PID 2124 wrote to memory of 1768	2124	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	85
PID 2124 wrote to memory of 1768	2124	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	85
PID 2124 wrote to memory of 1768	2124	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	85
PID 2124 wrote to memory of 1768	2124	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	85
PID 1768 wrote to memory of 3688	1768	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	87
PID 1768 wrote to memory of 3688	1768	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	87
PID 1768 wrote to memory of 3688	1768	ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe	87
PID 3688 wrote to memory of 2144	3688	omsecor.exe	89
PID 3688 wrote to memory of 2144	3688	omsecor.exe	89
PID 3688 wrote to memory of 2144	3688	omsecor.exe	89
PID 3688 wrote to memory of 2144	3688	omsecor.exe	89
PID 3688 wrote to memory of 2144	3688	omsecor.exe	89
PID 2144 wrote to memory of 624	2144	omsecor.exe	109
PID 2144 wrote to memory of 624	2144	omsecor.exe	109
PID 2144 wrote to memory of 624	2144	omsecor.exe	109
PID 624 wrote to memory of 3096	624	omsecor.exe	110
PID 624 wrote to memory of 3096	624	omsecor.exe	110
PID 624 wrote to memory of 3096	624	omsecor.exe	110
PID 624 wrote to memory of 3096	624	omsecor.exe	110
PID 624 wrote to memory of 3096	624	omsecor.exe	110
PID 3096 wrote to memory of 5112	3096	omsecor.exe	112
PID 3096 wrote to memory of 5112	3096	omsecor.exe	112
PID 3096 wrote to memory of 5112	3096	omsecor.exe	112
PID 5112 wrote to memory of 396	5112	omsecor.exe	114
PID 5112 wrote to memory of 396	5112	omsecor.exe	114
PID 5112 wrote to memory of 396	5112	omsecor.exe	114
PID 5112 wrote to memory of 396	5112	omsecor.exe	114
PID 5112 wrote to memory of 396	5112	omsecor.exe	114

C:\Users\Admin\AppData\Local\Temp\ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
"C:\Users\Admin\AppData\Local\Temp\ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
  C:\Users\Admin\AppData\Local\Temp\ec6b63b7d0457da8b61f411574bcf389da7f1c2af89500248abd1d4fc099a591N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:624
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 256
        8⤵
        Program crash
        
        PID:3872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 292
        6⤵
        Program crash
        
        PID:540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 288
      4⤵
      Program crash
      PID:2088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 272
  2⤵
  - Program crash
  PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2124 -ip 2124
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3688 -ip 3688
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 624 -ip 624
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5112 -ip 5112
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ea0e96d45297079328582eddbeb8244e

SHA1
16db4d44c11eb1cc58202cab7b68b618b05a74fd

SHA256
c643ed60f2a0efa903c1c09eb0010e708a77171807b8bb0dce0220a7ea05fa9a

SHA512
a4a63fbcf306216825fb53803f8e5aef095b695ef101f1da9e2ab10c833982ea57354108398ac49259fcf227c9ef04d9fbc72fd9edb8575316063cf92b5d39c1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e372a66a78645d8f9fbc33ff43df24c5

SHA1
1d6405b045d38506f07bd467cb52294ce3cdf8a4

SHA256
4b7aec92c38ff9df25e3ebdd581fa01f2b90948c5dff7fe0a9df13f4d7910ce4

SHA512
8cded00cc365bfaccd05e0166b6e0b529b6c65afb32dda48cef80628a13ecd2f3c749130b63db258a06cded0eab1c6d84925a599157d794c485badf3fd6bf89c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
090467fcff7c7d9f97e6407db6654f4d

SHA1
cbdeb5501ff65474e71759e94b6e47abc9015f07

SHA256
ba9ac1875814b17651d98bee7ba59e9ebca39b6d55e7b25b3336e2a8987b8221

SHA512
eb9ddb42f4e30d98a3b8c835b912e95209036ac3a24a3d28590795f4fa2b597b094fe2d1132658ace37aac00dc8a710e345591b8697b4a56047ed89ad77ab3dc

Download Submit
memory/396-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/396-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/396-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/624-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/624-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1768-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1768-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1768-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1768-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2124-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2144-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3096-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3096-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3096-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3688-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3688-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5112-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5112-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download