neconyd | 9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
Size

96KB
MD5

5b735a1cd8ff71670149304eafd61905
SHA1

0287bd29bc755dd8c58a78e7945a9eea84818c4a
SHA256

9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d
SHA512

58b964d6b3769034ff48e773bdcec857082733503aea2b301e2f794253f0b1b8be1d0e824dab825d0c5400aadfec61c8a17943d7644ea3bffaccaef55c3d2404
SSDEEP

1536:MnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:MGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4808	omsecor.exe
5040	omsecor.exe
1940	omsecor.exe
3332	omsecor.exe
3972	omsecor.exe
4452	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 4332	4680	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	83
PID 4808 set thread context of 5040	4808	omsecor.exe	87
PID 1940 set thread context of 3332	1940	omsecor.exe	109
PID 3972 set thread context of 4452	3972	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1772	4680	WerFault.exe	82
2116	4808	WerFault.exe	86
4324	1940	WerFault.exe	108
772	3972	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 4332	4680	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	83
PID 4680 wrote to memory of 4332	4680	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	83
PID 4680 wrote to memory of 4332	4680	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	83
PID 4680 wrote to memory of 4332	4680	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	83
PID 4680 wrote to memory of 4332	4680	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	83
PID 4332 wrote to memory of 4808	4332	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	86
PID 4332 wrote to memory of 4808	4332	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	86
PID 4332 wrote to memory of 4808	4332	9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe	86
PID 4808 wrote to memory of 5040	4808	omsecor.exe	87
PID 4808 wrote to memory of 5040	4808	omsecor.exe	87
PID 4808 wrote to memory of 5040	4808	omsecor.exe	87
PID 4808 wrote to memory of 5040	4808	omsecor.exe	87
PID 4808 wrote to memory of 5040	4808	omsecor.exe	87
PID 5040 wrote to memory of 1940	5040	omsecor.exe	108
PID 5040 wrote to memory of 1940	5040	omsecor.exe	108
PID 5040 wrote to memory of 1940	5040	omsecor.exe	108
PID 1940 wrote to memory of 3332	1940	omsecor.exe	109
PID 1940 wrote to memory of 3332	1940	omsecor.exe	109
PID 1940 wrote to memory of 3332	1940	omsecor.exe	109
PID 1940 wrote to memory of 3332	1940	omsecor.exe	109
PID 1940 wrote to memory of 3332	1940	omsecor.exe	109
PID 3332 wrote to memory of 3972	3332	omsecor.exe	111
PID 3332 wrote to memory of 3972	3332	omsecor.exe	111
PID 3332 wrote to memory of 3972	3332	omsecor.exe	111
PID 3972 wrote to memory of 4452	3972	omsecor.exe	113
PID 3972 wrote to memory of 4452	3972	omsecor.exe	113
PID 3972 wrote to memory of 4452	3972	omsecor.exe	113
PID 3972 wrote to memory of 4452	3972	omsecor.exe	113
PID 3972 wrote to memory of 4452	3972	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
"C:\Users\Admin\AppData\Local\Temp\9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
  C:\Users\Admin\AppData\Local\Temp\9c9410731e693848b6957ecb4d14092872c10c11d9b03351f48504ffc932172d.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 256
        8⤵
        Program crash
        
        PID:772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 300
        6⤵
        Program crash
        
        PID:4324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 288
      4⤵
      Program crash
      PID:2116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 288
  2⤵
  - Program crash
  PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4680 -ip 4680
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4808 -ip 4808
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1940 -ip 1940
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3972 -ip 3972
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
54179af8b1e673b2912c1ed7a2d6fc49

SHA1
46e9f3bf59dbc410e745f4d168bc3c0f35b22aef

SHA256
5e4a986a74e6343c09a359f70d0412a1fc9f756caaac4f95ff2f2d9af7d9e39f

SHA512
f2f52d5b3e910ad871d1a05ba152f4a4db9d68854492483dc5231f6271ed1fae789407e9c017877305c35722ef22f0f9f3e8e971dbb9f706f63a0e939e384187

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
852cccb4b4cf2f5956bdeeac6d6b9b72

SHA1
abd35fe80200f1ea571956137e57d49df706720e

SHA256
1a90b709c575365867d0f6d578c2ea467dba59f5a2df7a4b05025dbef217c2ce

SHA512
d979dbe3b0cfb362bb059fb9d3251903f517d8a00e1c92e6af2ee030d315366b0de5c0061efaa9635768ac7410d08a152e9f5a69f5eca5e64cc4646c36769a57

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c656e7eabd253267647e78ebc250b733

SHA1
a0a88680640e1a980e493473bce4d9765b739d2a

SHA256
ac01ab7f37ee586cbd84b1f640312f411b89bd9a0bd5f113a65cb486a8f832ba

SHA512
c9532771828433b116bba2cee31b46c6be6c65807d4d3e78ea8efe7b3e45bff9fbdaa9984a61242bdef812d1f459ce4e00d78ed312fe0078605bbfca37137da0

Download Submit
memory/1940-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1940-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3332-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3332-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3332-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3972-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4332-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4452-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4452-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4452-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4452-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4680-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4680-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4808-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4808-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5040-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5040-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5040-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5040-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5040-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5040-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5040-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download