neconyd | 59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
Size

134KB
MD5

19d6483fdba0d0cde976a108c16686c0
SHA1

8e41b2280d7e0f3da59aa307eef8e6369891fe22
SHA256

59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9
SHA512

cfae729899cc26e4063c67ba9c40de794d8f2b66e5fc2adc61f69ffeb753af519eed204c7934009ec3718ded1554c37a438182dda0415b4a1015ba39af788b88
SSDEEP

1536:nDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:DiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4736	omsecor.exe
2836	omsecor.exe
2396	omsecor.exe
4528	omsecor.exe
512	omsecor.exe
1976	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4928 set thread context of 1232	4928	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	84
PID 4736 set thread context of 2836	4736	omsecor.exe	89
PID 2396 set thread context of 4528	2396	omsecor.exe	109
PID 512 set thread context of 1976	512	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3912	4928	WerFault.exe	83
3820	4736	WerFault.exe	87
1512	2396	WerFault.exe	108
640	512	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1232	4928	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	84
PID 4928 wrote to memory of 1232	4928	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	84
PID 4928 wrote to memory of 1232	4928	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	84
PID 4928 wrote to memory of 1232	4928	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	84
PID 4928 wrote to memory of 1232	4928	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	84
PID 1232 wrote to memory of 4736	1232	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	87
PID 1232 wrote to memory of 4736	1232	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	87
PID 1232 wrote to memory of 4736	1232	59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe	87
PID 4736 wrote to memory of 2836	4736	omsecor.exe	89
PID 4736 wrote to memory of 2836	4736	omsecor.exe	89
PID 4736 wrote to memory of 2836	4736	omsecor.exe	89
PID 4736 wrote to memory of 2836	4736	omsecor.exe	89
PID 4736 wrote to memory of 2836	4736	omsecor.exe	89
PID 2836 wrote to memory of 2396	2836	omsecor.exe	108
PID 2836 wrote to memory of 2396	2836	omsecor.exe	108
PID 2836 wrote to memory of 2396	2836	omsecor.exe	108
PID 2396 wrote to memory of 4528	2396	omsecor.exe	109
PID 2396 wrote to memory of 4528	2396	omsecor.exe	109
PID 2396 wrote to memory of 4528	2396	omsecor.exe	109
PID 2396 wrote to memory of 4528	2396	omsecor.exe	109
PID 2396 wrote to memory of 4528	2396	omsecor.exe	109
PID 4528 wrote to memory of 512	4528	omsecor.exe	111
PID 4528 wrote to memory of 512	4528	omsecor.exe	111
PID 4528 wrote to memory of 512	4528	omsecor.exe	111
PID 512 wrote to memory of 1976	512	omsecor.exe	113
PID 512 wrote to memory of 1976	512	omsecor.exe	113
PID 512 wrote to memory of 1976	512	omsecor.exe	113
PID 512 wrote to memory of 1976	512	omsecor.exe	113
PID 512 wrote to memory of 1976	512	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
"C:\Users\Admin\AppData\Local\Temp\59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
  C:\Users\Admin\AppData\Local\Temp\59296bb2961ad640fbcee07970ce07acace09ded78203debbe6a0d323619abc9N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 256
        8⤵
        Program crash
        
        PID:640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 292
        6⤵
        Program crash
        
        PID:1512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 288
      4⤵
      Program crash
      PID:3820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 288
  2⤵
  - Program crash
  PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4928 -ip 4928
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4736 -ip 4736
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2396 -ip 2396
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 512 -ip 512
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
94b22464bea9acfde5a11f0c066711e1

SHA1
6d58e9f0db8359e4aac1446b5d33e6b8fd65674e

SHA256
1a6c2203c9f551d5ea161aae0190e0bc6613d0edbb973995eb24430d02b97c78

SHA512
d258a1c3e10c8a21163f22a158fbeca6877beb7253653a68429da859db36c0ed32c14cf39921788f1e0e499bd2e286427dfa61affaa415ef5c64764b6ac2fe70

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
8d7ae5d120a4332c684ddd3a5b81b29b

SHA1
11e313aafbdf5aae1ed7c99bd0289ba5dab37bac

SHA256
38c38ba02edfe751951897cfbee225eda9b3b92dfd2fc9763d90a6dc910b118f

SHA512
87388bd296042bf2e2607f39cfd357692b9d7957f5dd7b50fdb07d31aad3a16f46145a0b7f9785ea757b6836084f3c40ad73220d7c061d09b6d1608748a72c58

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
6e06e4eb1041a5bffa580d7a450c5834

SHA1
d0d0fb2a546b350df1f461109247e2f9ddc4757f

SHA256
777c89e88e086c271e3ece2163917f849db2f7dd1a2ec6c68d14cafffa846eb5

SHA512
af673bed503edc46986a81dd6a1ad68be076b94509a9de17b58f69c4cd1b014e7f11638a5048bb334d45e0625f52fa4336ec45ba6aa5554996df9d11940c1b36

Download Submit
memory/512-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1232-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1232-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1232-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1232-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2396-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2836-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4528-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4528-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4528-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4736-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4736-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4928-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4928-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download