neconyd | 9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
Size

96KB
MD5

5b735a1cd8ff71670149304eafd61905
SHA1

0287bd29bc755dd8c58a78e7945a9eea84818c4a
SHA256

9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d
SHA512

58b964d6b3769034ff48e773bdcec857082733503aea2b301e2f794253f0b1b8be1d0e824dab825d0c5400aadfec61c8a17943d7644ea3bffaccaef55c3d2404
SSDEEP

1536:MnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:MGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4580	omsecor.exe
2260	omsecor.exe
3012	omsecor.exe
1396	omsecor.exe
2792	omsecor.exe
4636	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1652 set thread context of 4592	1652	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	82
PID 4580 set thread context of 2260	4580	omsecor.exe	87
PID 3012 set thread context of 1396	3012	omsecor.exe	100
PID 2792 set thread context of 4636	2792	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1828	1652	WerFault.exe	81
5032	4580	WerFault.exe	84
4140	3012	WerFault.exe	99
3496	2792	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 4592	1652	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	82
PID 1652 wrote to memory of 4592	1652	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	82
PID 1652 wrote to memory of 4592	1652	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	82
PID 1652 wrote to memory of 4592	1652	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	82
PID 1652 wrote to memory of 4592	1652	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	82
PID 4592 wrote to memory of 4580	4592	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	84
PID 4592 wrote to memory of 4580	4592	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	84
PID 4592 wrote to memory of 4580	4592	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	84
PID 4580 wrote to memory of 2260	4580	omsecor.exe	87
PID 4580 wrote to memory of 2260	4580	omsecor.exe	87
PID 4580 wrote to memory of 2260	4580	omsecor.exe	87
PID 4580 wrote to memory of 2260	4580	omsecor.exe	87
PID 4580 wrote to memory of 2260	4580	omsecor.exe	87
PID 2260 wrote to memory of 3012	2260	omsecor.exe	99
PID 2260 wrote to memory of 3012	2260	omsecor.exe	99
PID 2260 wrote to memory of 3012	2260	omsecor.exe	99
PID 3012 wrote to memory of 1396	3012	omsecor.exe	100
PID 3012 wrote to memory of 1396	3012	omsecor.exe	100
PID 3012 wrote to memory of 1396	3012	omsecor.exe	100
PID 3012 wrote to memory of 1396	3012	omsecor.exe	100
PID 3012 wrote to memory of 1396	3012	omsecor.exe	100
PID 1396 wrote to memory of 2792	1396	omsecor.exe	102
PID 1396 wrote to memory of 2792	1396	omsecor.exe	102
PID 1396 wrote to memory of 2792	1396	omsecor.exe	102
PID 2792 wrote to memory of 4636	2792	omsecor.exe	104
PID 2792 wrote to memory of 4636	2792	omsecor.exe	104
PID 2792 wrote to memory of 4636	2792	omsecor.exe	104
PID 2792 wrote to memory of 4636	2792	omsecor.exe	104
PID 2792 wrote to memory of 4636	2792	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
"C:\Users\Admin\AppData\Local\Temp\9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
  C:\Users\Admin\AppData\Local\Temp\9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 256
        8⤵
        Program crash
        
        PID:3496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 292
        6⤵
        Program crash
        
        PID:4140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 300
      4⤵
      Program crash
      PID:5032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 300
  2⤵
  - Program crash
  PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1652 -ip 1652
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4580 -ip 4580
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3012 -ip 3012
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2792 -ip 2792
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e6b22b211ac658bc913c5043cdabdfd5

SHA1
4aa827db200ac9081c4bb20788b0fe0ab1c92720

SHA256
dcf4e3935263b0fa531d63f8c8422c8a965b50631f5436fdb0b8113134ade081

SHA512
1a5eb284507d846bbfa2a6d7b1a1a9decc39a52c9fb59cb1d646578c207a7311569421a086fe58482e0f55bb938bb765bae24cebdc1087fac20a9c4059959b33

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
852cccb4b4cf2f5956bdeeac6d6b9b72

SHA1
abd35fe80200f1ea571956137e57d49df706720e

SHA256
1a90b709c575365867d0f6d578c2ea467dba59f5a2df7a4b05025dbef217c2ce

SHA512
d979dbe3b0cfb362bb059fb9d3251903f517d8a00e1c92e6af2ee030d315366b0de5c0061efaa9635768ac7410d08a152e9f5a69f5eca5e64cc4646c36769a57

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
6c54e764642bf6a41fd43368ec1367d0

SHA1
ac7b70f8598943b5179582f5b3a28ff8ccbbb44f

SHA256
47ef40ef5c28118479c3b9fb5e43bdfaea032f4834fd908239ea6c8526045797

SHA512
2054a3f78661e68a6ac4b34194ccd09995ec52f34b35e16e7586fb70719c2382f9780bf75ac2cdbe6aa2b266c94c36c2b85a02950f8610e2b1594f1cdf807e44

Download Submit
memory/1396-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1652-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1652-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2260-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2792-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2792-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3012-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3012-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4580-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4580-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4592-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4592-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4592-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4592-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4636-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4636-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4636-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4636-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download