neconyd | ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
Size

134KB
MD5

1f5b93590a82461a3c309756069c7740
SHA1

a4ac2ada6df4bed79688705f0eb452a4bef57fcd
SHA256

ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11
SHA512

99c766ad16e19b9ce1757721dc99b089ee74a7e8b5bd752eaa48ab09213611ff983931a22575962474f64447ed4e7c2065cf63f95fa5745ab496037c66e8c2fa
SSDEEP

1536:BDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi9:hiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4760	omsecor.exe
4060	omsecor.exe
4680	omsecor.exe
3804	omsecor.exe
3592	omsecor.exe
3204	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 5092	2884	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	83
PID 4760 set thread context of 4060	4760	omsecor.exe	88
PID 4680 set thread context of 3804	4680	omsecor.exe	109
PID 3592 set thread context of 3204	3592	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3516	2884	WerFault.exe	82
3640	4760	WerFault.exe	86
3956	4680	WerFault.exe	108
2636	3592	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 5092	2884	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	83
PID 2884 wrote to memory of 5092	2884	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	83
PID 2884 wrote to memory of 5092	2884	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	83
PID 2884 wrote to memory of 5092	2884	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	83
PID 2884 wrote to memory of 5092	2884	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	83
PID 5092 wrote to memory of 4760	5092	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	86
PID 5092 wrote to memory of 4760	5092	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	86
PID 5092 wrote to memory of 4760	5092	ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe	86
PID 4760 wrote to memory of 4060	4760	omsecor.exe	88
PID 4760 wrote to memory of 4060	4760	omsecor.exe	88
PID 4760 wrote to memory of 4060	4760	omsecor.exe	88
PID 4760 wrote to memory of 4060	4760	omsecor.exe	88
PID 4760 wrote to memory of 4060	4760	omsecor.exe	88
PID 4060 wrote to memory of 4680	4060	omsecor.exe	108
PID 4060 wrote to memory of 4680	4060	omsecor.exe	108
PID 4060 wrote to memory of 4680	4060	omsecor.exe	108
PID 4680 wrote to memory of 3804	4680	omsecor.exe	109
PID 4680 wrote to memory of 3804	4680	omsecor.exe	109
PID 4680 wrote to memory of 3804	4680	omsecor.exe	109
PID 4680 wrote to memory of 3804	4680	omsecor.exe	109
PID 4680 wrote to memory of 3804	4680	omsecor.exe	109
PID 3804 wrote to memory of 3592	3804	omsecor.exe	111
PID 3804 wrote to memory of 3592	3804	omsecor.exe	111
PID 3804 wrote to memory of 3592	3804	omsecor.exe	111
PID 3592 wrote to memory of 3204	3592	omsecor.exe	113
PID 3592 wrote to memory of 3204	3592	omsecor.exe	113
PID 3592 wrote to memory of 3204	3592	omsecor.exe	113
PID 3592 wrote to memory of 3204	3592	omsecor.exe	113
PID 3592 wrote to memory of 3204	3592	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
"C:\Users\Admin\AppData\Local\Temp\ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
  C:\Users\Admin\AppData\Local\Temp\ca86903136a0b7c013c9bdba9898a27c09e2298cda7e807af3643747370a0f11N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4680
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 244
        8⤵
        Program crash
        
        PID:2636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 292
        6⤵
        Program crash
        
        PID:3956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 300
      4⤵
      Program crash
      PID:3640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 288
  2⤵
  - Program crash
  PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2884 -ip 2884
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4760 -ip 4760
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4680 -ip 4680
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3592 -ip 3592
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f49888d21f385631ffb3746556338814

SHA1
bd72d3ebbcf293ebd7460840aa4e675551a1fd0d

SHA256
5946c9bb10ca8d74e5f0b38f2733a86f80d37617c153a276fc86c4d68bfdb11f

SHA512
bafc554ec5f7437c8cfde90a570ba364f6e34a1c9c2422b8e0bcf57d2b2fc8f33dc520fa374e20d6ac215195ae93627619a5b7c49a61626e553a91b066f738b0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
ab272e52973f0c2efa4675ff8e12b1c2

SHA1
01ed7323dd44a0cf8ea864aaf83c369a134d61af

SHA256
d728220361efbf8685a2a7c8da8538030e75e2941e042ad46b93d679f19869c5

SHA512
a1b95a0569fbda7d51179ecb613a8f36a7c6a71e6b400d9e2c9e81f90634401ec9f789de067a67dfd7b3c493631b260364b16747923842331af4d9a688e5f072

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
e681199314924484695476d7e4ac7d34

SHA1
dbb0e430827640f97a1bfb4e0d120ff14df1eaf6

SHA256
4c66ea33446ed4d6c6a18d421deff29b0f1005abbfa10f3126296810b2475a9b

SHA512
613bc366141e1b81478a0ccce79da29d477f306cd14b112ac33114696397a8283e4eb5c2bc8c26634f247e9b95a100b8a34721532502ed0f5559d4766f91bb2c

Download Submit
memory/2884-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2884-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3204-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3204-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3204-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3592-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3804-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4060-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4060-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4060-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4060-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4060-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4060-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4060-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4680-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4680-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4760-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4760-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5092-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5092-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5092-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5092-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download