neconyd | f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
Size

96KB
MD5

40cf1e628a5f14faf8c6c86e3f115e70
SHA1

01311d9bf7b7c4488c0e077a18574802f6cbba42
SHA256

f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81
SHA512

b981edc39123459dc1a240b6bd5958e917f6f1d0f943adb7bd051fec0028369d31345983248ce2d3a3d05ea943bc994cebb4dad7afa028f1fca4cb4209f24011
SSDEEP

1536:knAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:kGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3908	omsecor.exe
4528	omsecor.exe
4032	omsecor.exe
1992	omsecor.exe
2984	omsecor.exe
3100	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 692 set thread context of 808	692	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	82
PID 3908 set thread context of 4528	3908	omsecor.exe	86
PID 4032 set thread context of 1992	4032	omsecor.exe	100
PID 2984 set thread context of 3100	2984	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1028	692	WerFault.exe	81
3024	3908	WerFault.exe	84
2664	4032	WerFault.exe	99
5020	2984	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 808	692	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	82
PID 692 wrote to memory of 808	692	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	82
PID 692 wrote to memory of 808	692	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	82
PID 692 wrote to memory of 808	692	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	82
PID 692 wrote to memory of 808	692	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	82
PID 808 wrote to memory of 3908	808	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	84
PID 808 wrote to memory of 3908	808	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	84
PID 808 wrote to memory of 3908	808	f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe	84
PID 3908 wrote to memory of 4528	3908	omsecor.exe	86
PID 3908 wrote to memory of 4528	3908	omsecor.exe	86
PID 3908 wrote to memory of 4528	3908	omsecor.exe	86
PID 3908 wrote to memory of 4528	3908	omsecor.exe	86
PID 3908 wrote to memory of 4528	3908	omsecor.exe	86
PID 4528 wrote to memory of 4032	4528	omsecor.exe	99
PID 4528 wrote to memory of 4032	4528	omsecor.exe	99
PID 4528 wrote to memory of 4032	4528	omsecor.exe	99
PID 4032 wrote to memory of 1992	4032	omsecor.exe	100
PID 4032 wrote to memory of 1992	4032	omsecor.exe	100
PID 4032 wrote to memory of 1992	4032	omsecor.exe	100
PID 4032 wrote to memory of 1992	4032	omsecor.exe	100
PID 4032 wrote to memory of 1992	4032	omsecor.exe	100
PID 1992 wrote to memory of 2984	1992	omsecor.exe	102
PID 1992 wrote to memory of 2984	1992	omsecor.exe	102
PID 1992 wrote to memory of 2984	1992	omsecor.exe	102
PID 2984 wrote to memory of 3100	2984	omsecor.exe	104
PID 2984 wrote to memory of 3100	2984	omsecor.exe	104
PID 2984 wrote to memory of 3100	2984	omsecor.exe	104
PID 2984 wrote to memory of 3100	2984	omsecor.exe	104
PID 2984 wrote to memory of 3100	2984	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
"C:\Users\Admin\AppData\Local\Temp\f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:692
- C:\Users\Admin\AppData\Local\Temp\f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
  C:\Users\Admin\AppData\Local\Temp\f71f2f2c75f9e22858abc833abd93039047bbd5d0636dd1b01c5ad6a5b12ae81N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 268
        8⤵
        Program crash
        
        PID:5020
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 292
        6⤵
        Program crash
        
        PID:2664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 288
      4⤵
      Program crash
      PID:3024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 292
  2⤵
  - Program crash
  PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 692 -ip 692
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3908 -ip 3908
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4032 -ip 4032
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2984 -ip 2984
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d78fe0a93141606ec28d33bd092d542a

SHA1
d82966eca69b02ab37b9f4798b70412967f780c4

SHA256
dd33a9b621b531c7a667e73c6274d4e01a418a0c1731290d991d260261ecbb7b

SHA512
ccc47c99e139d8605c9494f5e0075221681a6ca16966b0b984b7a5be0bfa710d8090854453ee979132b70f3d6b471863fbdb563c79f3f6d90b636e04c10ee070

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
36f9f0e54b0ed02ddce511ba0be93c13

SHA1
b30ec2c853fab55792883a43c6320fb2531a256c

SHA256
21d567af5894cf4e05355776ff97fa4f5d555181c52bb16778f4fce7d2d1e0f2

SHA512
f426247e675d73ec25ca3ce651f089c1600983434290522968b0c12232c48fa7c11c010f5e692d713ca0f678a5c97f6005da00219bf28bc9be3f95ba0513baf1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
5a1c6b7ac7ea75f6c0bd7e0865a79a88

SHA1
ccf707ec97505c34083a134e965fbf7ea2bb332d

SHA256
b58f54caf8784d24e5abd4888eec21e6e792dc00baea2fa3f0b6b81a861474d1

SHA512
bd400d59fa6ac7325e6b6533d4ee9c7f8e3dad318af12f35c3a1089b60c5244b2c81ebaf190c4af3b3cb5f48315fcbbb9774616bf48268a68bde76967a24dc55

Download Submit
memory/692-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/692-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/808-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/808-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/808-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/808-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2984-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3100-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3100-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3100-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3908-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3908-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4032-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4032-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4528-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4528-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4528-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4528-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4528-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4528-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4528-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download