neconyd | 97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
Size

96KB
MD5

ad84983cf108388009030120e07e2000
SHA1

d058d298c2ee9cbe89480bc29e4da3db3db5505b
SHA256

97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71
SHA512

7f149dff2bb6a7168f47113bb55a360a66d8373766962def2a6fd7021c7044307303afdaab96d479bb068497bccb486a9b6fbaf95d59b07aa20fc1d13a9f47b4
SSDEEP

1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:EGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1668	omsecor.exe
744	omsecor.exe
4220	omsecor.exe
4732	omsecor.exe
4528	omsecor.exe
4884	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 4628	1980	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	83
PID 1668 set thread context of 744	1668	omsecor.exe	87
PID 4220 set thread context of 4732	4220	omsecor.exe	109
PID 4528 set thread context of 4884	4528	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2948	1980	WerFault.exe	82
4284	1668	WerFault.exe	85
4832	4220	WerFault.exe	108
4520	4528	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4628	1980	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	83
PID 1980 wrote to memory of 4628	1980	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	83
PID 1980 wrote to memory of 4628	1980	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	83
PID 1980 wrote to memory of 4628	1980	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	83
PID 1980 wrote to memory of 4628	1980	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	83
PID 4628 wrote to memory of 1668	4628	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	85
PID 4628 wrote to memory of 1668	4628	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	85
PID 4628 wrote to memory of 1668	4628	97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe	85
PID 1668 wrote to memory of 744	1668	omsecor.exe	87
PID 1668 wrote to memory of 744	1668	omsecor.exe	87
PID 1668 wrote to memory of 744	1668	omsecor.exe	87
PID 1668 wrote to memory of 744	1668	omsecor.exe	87
PID 1668 wrote to memory of 744	1668	omsecor.exe	87
PID 744 wrote to memory of 4220	744	omsecor.exe	108
PID 744 wrote to memory of 4220	744	omsecor.exe	108
PID 744 wrote to memory of 4220	744	omsecor.exe	108
PID 4220 wrote to memory of 4732	4220	omsecor.exe	109
PID 4220 wrote to memory of 4732	4220	omsecor.exe	109
PID 4220 wrote to memory of 4732	4220	omsecor.exe	109
PID 4220 wrote to memory of 4732	4220	omsecor.exe	109
PID 4220 wrote to memory of 4732	4220	omsecor.exe	109
PID 4732 wrote to memory of 4528	4732	omsecor.exe	111
PID 4732 wrote to memory of 4528	4732	omsecor.exe	111
PID 4732 wrote to memory of 4528	4732	omsecor.exe	111
PID 4528 wrote to memory of 4884	4528	omsecor.exe	113
PID 4528 wrote to memory of 4884	4528	omsecor.exe	113
PID 4528 wrote to memory of 4884	4528	omsecor.exe	113
PID 4528 wrote to memory of 4884	4528	omsecor.exe	113
PID 4528 wrote to memory of 4884	4528	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
"C:\Users\Admin\AppData\Local\Temp\97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
  C:\Users\Admin\AppData\Local\Temp\97000034378f4baf65a859cfec6c44fd118a4ea183918069bba15a9f1218bf71N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4220
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 256
        8⤵
        Program crash
        
        PID:4520
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 292
        6⤵
        Program crash
        
        PID:4832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 300
      4⤵
      Program crash
      PID:4284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 292
  2⤵
  - Program crash
  PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1980 -ip 1980
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1668 -ip 1668
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4220 -ip 4220
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4528 -ip 4528
1⤵
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
30c1e6db26b51bb5392292846769ac8b

SHA1
cc26f90c1522cf13d47c6444a8ff130200f97cf7

SHA256
888b8f3cd1326012b026db67a02dd2702cde93c555ac9b103915059ee16ae356

SHA512
75b2b81d4cb1b3c82b3733acfa9b1997bd8312fa91bf87c7d5131fb49d071e903cf2e99c62e6022201eefaede912b7d1b82bd6b99c1bef428e8c02a9b3f3ac34

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
27958aa968a6d08c5f64d75fe08933d3

SHA1
c8c4d2931f3900dcd19f184c7a28b0bcd65b7d8d

SHA256
4455e90cc4130d04f3e578bf9071e01255613b5c257e8bcabd43722367193534

SHA512
d38e98a8a27e3c22497faec19c85f6054568222b6a736870bd6828bb15925fd19ca52337ae560f212b48b4ab67e6ba74dfdae71874dd5fec8205010122b88a0f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
aaf388f6d2935c5ee6b0ab140c62779f

SHA1
7d223074f8e5ccd37af8dc4bf2c75b59cb024cc2

SHA256
7d860b9b2947255edb7b3c0223b40113023f60f75657dece2c46414072b4bc67

SHA512
355954da6f3c23b3f537dc9c5680cb5f3a4635823df5a4bcb30f5cd5f349469e776434a27e3b17cf8b6d1042ad153ec30e41106e9dea3232eca38d8ed5ae6bed

Download Submit
memory/744-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1668-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1668-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1980-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1980-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4220-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4220-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4528-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4528-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4628-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4628-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4628-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4628-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4732-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4732-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4732-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4884-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4884-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4884-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download