neconyd | c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfe

Analysis

max time kernel
110s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
Size

96KB
MD5

eba5577bdcc8429e4fc573ed479ca6e0
SHA1

2af7c176d2d26d5bd7b68f6454798c500d502db1
SHA256

c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfe
SHA512

0c9e5399d2d88770f38f0078581b534e89ca57a67639dfe1d89104a94333b3f59e39af23bd8323fc570cbb6337b92107cc6aa8402c3e4b69445222ce9d7a80bc
SSDEEP

1536:hnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:hGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4032	omsecor.exe
4784	omsecor.exe
4416	omsecor.exe
1444	omsecor.exe
4888	omsecor.exe
456	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4100 set thread context of 4420	4100	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	83
PID 4032 set thread context of 4784	4032	omsecor.exe	87
PID 4416 set thread context of 1444	4416	omsecor.exe	108
PID 4888 set thread context of 456	4888	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
772	4100	WerFault.exe	82
2056	4032	WerFault.exe	86
1324	4416	WerFault.exe	107
4100	4888	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 4420	4100	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	83
PID 4100 wrote to memory of 4420	4100	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	83
PID 4100 wrote to memory of 4420	4100	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	83
PID 4100 wrote to memory of 4420	4100	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	83
PID 4100 wrote to memory of 4420	4100	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	83
PID 4420 wrote to memory of 4032	4420	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	86
PID 4420 wrote to memory of 4032	4420	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	86
PID 4420 wrote to memory of 4032	4420	c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe	86
PID 4032 wrote to memory of 4784	4032	omsecor.exe	87
PID 4032 wrote to memory of 4784	4032	omsecor.exe	87
PID 4032 wrote to memory of 4784	4032	omsecor.exe	87
PID 4032 wrote to memory of 4784	4032	omsecor.exe	87
PID 4032 wrote to memory of 4784	4032	omsecor.exe	87
PID 4784 wrote to memory of 4416	4784	omsecor.exe	107
PID 4784 wrote to memory of 4416	4784	omsecor.exe	107
PID 4784 wrote to memory of 4416	4784	omsecor.exe	107
PID 4416 wrote to memory of 1444	4416	omsecor.exe	108
PID 4416 wrote to memory of 1444	4416	omsecor.exe	108
PID 4416 wrote to memory of 1444	4416	omsecor.exe	108
PID 4416 wrote to memory of 1444	4416	omsecor.exe	108
PID 4416 wrote to memory of 1444	4416	omsecor.exe	108
PID 1444 wrote to memory of 4888	1444	omsecor.exe	110
PID 1444 wrote to memory of 4888	1444	omsecor.exe	110
PID 1444 wrote to memory of 4888	1444	omsecor.exe	110
PID 4888 wrote to memory of 456	4888	omsecor.exe	112
PID 4888 wrote to memory of 456	4888	omsecor.exe	112
PID 4888 wrote to memory of 456	4888	omsecor.exe	112
PID 4888 wrote to memory of 456	4888	omsecor.exe	112
PID 4888 wrote to memory of 456	4888	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
"C:\Users\Admin\AppData\Local\Temp\c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
  C:\Users\Admin\AppData\Local\Temp\c0b4fe6f3f8b7d38cff4480d067f32f50f3bf1858b94219f3520c4818784ebfeN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4416
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 256
        8⤵
        Program crash
        
        PID:4100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 292
        6⤵
        Program crash
        
        PID:1324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 288
      4⤵
      Program crash
      PID:2056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 292
  2⤵
  - Program crash
  PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4100 -ip 4100
1⤵
PID:184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4032 -ip 4032
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4416 -ip 4416
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4888 -ip 4888
1⤵
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
57fb7c87269d823e70dd8854d6412c99

SHA1
13c59b1e989fd457f921a08e324d7f81ac2feb83

SHA256
af4413f9c7943b5ac0bb80aa7c97edc5037ecfd2394e3102ae98663b6cc7e29d

SHA512
f56eb95130034539ecb1cf624a1e55b07dda1d3f1e36633ee9cb2ff0487a5def446876b1295c2d7536357c64baf3257b9428c5ebd328671dacbd75ce36408927

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
96f5b898b5f386c7a78bfbc2878dcfbb

SHA1
b26cc5dfdc230fb3c686d72d782e452e76e0e9f4

SHA256
2dcae749724696582f0cc90fec09f6aab225e739a170e4728b5f3fd406447f39

SHA512
a317a9509a6b215836812ef498d4ffbab0490ed24198c2a9edf8fa059000606f5778c59819efd593d81457ecf61deaa65fb744130b9ddb209ff3b64fd3a3bbf0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9abb4fe808066f61023b3cb58216f0ab

SHA1
3d5bc7e7397e015afa18eea73dd572268987a710

SHA256
e1e5eee492b36ed733732af4d123cebbbf2c3695b2e73964d7ec1dd967b00e3c

SHA512
5d64a5c54df760f843c8f23c8d9528ab805916bf8309b2c3266428b974a15ef8645e2fc77aeca2f8538b1fdb5632b561248dc72f824aa38a8db09cd688dd2d6b

Download Submit
memory/456-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/456-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/456-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1444-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1444-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1444-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4100-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4100-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4416-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4416-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4420-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4784-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4784-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4784-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4784-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4784-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4784-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4784-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4888-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download