neconyd | 1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2025, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
Size

134KB
MD5

467d4466e9cfc80448b78650981e0262
SHA1

00589707e788664d4743ea981e65833495d016c1
SHA256

1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264
SHA512

f8cfe8a3a1416bc02e2e907f1c83e795b54c1bcb5a3f53d65ea1ac9c28772c1ec42d4a904b748eec9aaba299261cf0b7ae7943d18a7dcd19a2d0d00bbabc9835
SSDEEP

1536:nDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiX:DiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2764	omsecor.exe
3792	omsecor.exe
4480	omsecor.exe
5044	omsecor.exe
796	omsecor.exe
2000	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4056 set thread context of 3624	4056	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	83
PID 2764 set thread context of 3792	2764	omsecor.exe	87
PID 4480 set thread context of 5044	4480	omsecor.exe	107
PID 796 set thread context of 2000	796	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
5108	4056	WerFault.exe	82
2184	2764	WerFault.exe	86
1908	4480	WerFault.exe	106
4356	796	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 3624	4056	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	83
PID 4056 wrote to memory of 3624	4056	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	83
PID 4056 wrote to memory of 3624	4056	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	83
PID 4056 wrote to memory of 3624	4056	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	83
PID 4056 wrote to memory of 3624	4056	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	83
PID 3624 wrote to memory of 2764	3624	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	86
PID 3624 wrote to memory of 2764	3624	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	86
PID 3624 wrote to memory of 2764	3624	1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe	86
PID 2764 wrote to memory of 3792	2764	omsecor.exe	87
PID 2764 wrote to memory of 3792	2764	omsecor.exe	87
PID 2764 wrote to memory of 3792	2764	omsecor.exe	87
PID 2764 wrote to memory of 3792	2764	omsecor.exe	87
PID 2764 wrote to memory of 3792	2764	omsecor.exe	87
PID 3792 wrote to memory of 4480	3792	omsecor.exe	106
PID 3792 wrote to memory of 4480	3792	omsecor.exe	106
PID 3792 wrote to memory of 4480	3792	omsecor.exe	106
PID 4480 wrote to memory of 5044	4480	omsecor.exe	107
PID 4480 wrote to memory of 5044	4480	omsecor.exe	107
PID 4480 wrote to memory of 5044	4480	omsecor.exe	107
PID 4480 wrote to memory of 5044	4480	omsecor.exe	107
PID 4480 wrote to memory of 5044	4480	omsecor.exe	107
PID 5044 wrote to memory of 796	5044	omsecor.exe	109
PID 5044 wrote to memory of 796	5044	omsecor.exe	109
PID 5044 wrote to memory of 796	5044	omsecor.exe	109
PID 796 wrote to memory of 2000	796	omsecor.exe	111
PID 796 wrote to memory of 2000	796	omsecor.exe	111
PID 796 wrote to memory of 2000	796	omsecor.exe	111
PID 796 wrote to memory of 2000	796	omsecor.exe	111
PID 796 wrote to memory of 2000	796	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
"C:\Users\Admin\AppData\Local\Temp\1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
  C:\Users\Admin\AppData\Local\Temp\1c5a050de55f070e3b44227453f97adefbbca515640759a51caefe86957a8264.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 256
        8⤵
        Program crash
        
        PID:4356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 292
        6⤵
        Program crash
        
        PID:1908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 296
      4⤵
      Program crash
      PID:2184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 300
  2⤵
  - Program crash
  PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4056 -ip 4056
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2764 -ip 2764
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4480 -ip 4480
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 796 -ip 796
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9072f9dc1b4b3b27f8ea04cf982dd21c

SHA1
bb9d43840764e83ccf3526c5bf66227feba5343c

SHA256
46a838db430005f31c4397f3f1c2168eedc7f96de15892d04a5e67d59a6b5054

SHA512
5ab529488eb4de4f129d8dc7224425922646a2a86a330cc666f8f740583c7b15206b86ae86812d303f1a51243b3983c2060d4237f3f95dea19c9fe7e17f44b42

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
3e5d980c5dc80db99ab07b78dc81964d

SHA1
7b7ea3a2e6ba10c044611894917955f98dcdda86

SHA256
0e7d2efc4344a66b25497dd31aa25004020961808d235a3db63ddafa4fca0fdf

SHA512
34eb03422af95e63c3c86b04e8580c23767d975b1056e2946b069674aaa6917de9080146535d44558aefaf7c159f559a7c171814bb6eff68678a4d6b39550ca4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
4c0ff6d23c59ecf0118ee81a2927e8ec

SHA1
f039b646e083a768383c179a295c8a6689107dd9

SHA256
3b3709e431ee1a0ecd54c1114a21bff40bc1f9b4e8b263ec55dd3d1ec130e961

SHA512
553d74508ff442399ee1f2f3a0dcdda0300edf17c78f630e62fe202e2866617cc42a47fd669e04cc24140bd4a5ee11cc420e70dd796fe172a07788d286c6d39b

Download Submit
memory/796-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2000-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2764-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3624-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4056-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4056-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4480-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4480-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5044-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5044-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5044-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download