neconyd | 4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
Size

96KB
MD5

6d30139c97061226b75734e12f9c146f
SHA1

a432498b8f76246384be111074ef32d22e116f23
SHA256

4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae
SHA512

feca400a35b991e71b65249c928f9aa9502459a55e1673d9ebc0af047b9a8b7a8909e391dbd2ede25652cd71f4caaed275f2461bc15e489993193a1ea703bbda
SSDEEP

1536:xnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:xGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2020	omsecor.exe
3944	omsecor.exe
1396	omsecor.exe
2432	omsecor.exe
380	omsecor.exe
928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 4436	1980	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	82
PID 2020 set thread context of 3944	2020	omsecor.exe	86
PID 1396 set thread context of 2432	1396	omsecor.exe	100
PID 380 set thread context of 928	380	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4828	1980	WerFault.exe	81
1984	2020	WerFault.exe	84
3432	1396	WerFault.exe	99
4368	380	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4436	1980	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	82
PID 1980 wrote to memory of 4436	1980	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	82
PID 1980 wrote to memory of 4436	1980	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	82
PID 1980 wrote to memory of 4436	1980	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	82
PID 1980 wrote to memory of 4436	1980	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	82
PID 4436 wrote to memory of 2020	4436	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	84
PID 4436 wrote to memory of 2020	4436	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	84
PID 4436 wrote to memory of 2020	4436	4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe	84
PID 2020 wrote to memory of 3944	2020	omsecor.exe	86
PID 2020 wrote to memory of 3944	2020	omsecor.exe	86
PID 2020 wrote to memory of 3944	2020	omsecor.exe	86
PID 2020 wrote to memory of 3944	2020	omsecor.exe	86
PID 2020 wrote to memory of 3944	2020	omsecor.exe	86
PID 3944 wrote to memory of 1396	3944	omsecor.exe	99
PID 3944 wrote to memory of 1396	3944	omsecor.exe	99
PID 3944 wrote to memory of 1396	3944	omsecor.exe	99
PID 1396 wrote to memory of 2432	1396	omsecor.exe	100
PID 1396 wrote to memory of 2432	1396	omsecor.exe	100
PID 1396 wrote to memory of 2432	1396	omsecor.exe	100
PID 1396 wrote to memory of 2432	1396	omsecor.exe	100
PID 1396 wrote to memory of 2432	1396	omsecor.exe	100
PID 2432 wrote to memory of 380	2432	omsecor.exe	102
PID 2432 wrote to memory of 380	2432	omsecor.exe	102
PID 2432 wrote to memory of 380	2432	omsecor.exe	102
PID 380 wrote to memory of 928	380	omsecor.exe	104
PID 380 wrote to memory of 928	380	omsecor.exe	104
PID 380 wrote to memory of 928	380	omsecor.exe	104
PID 380 wrote to memory of 928	380	omsecor.exe	104
PID 380 wrote to memory of 928	380	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
"C:\Users\Admin\AppData\Local\Temp\4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
  C:\Users\Admin\AppData\Local\Temp\4dbbc58ca87035dea64ae033f73c76735b0868a034ef53791754463a9055ddae.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 256
        8⤵
        Program crash
        
        PID:4368
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 292
        6⤵
        Program crash
        
        PID:3432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 288
      4⤵
      Program crash
      PID:1984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 288
  2⤵
  - Program crash
  PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1980 -ip 1980
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2020 -ip 2020
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1396 -ip 1396
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 380 -ip 380
1⤵
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b22de1177f0eadb4534064568df2f3fa

SHA1
0c08ed140f7979871ce7a85cc48d1ccd81247e14

SHA256
9a80f379638acd859b7758a3751b61a00410c3a2ecc5efaf49ecf6369098adb5

SHA512
08ed4a9c770301be064cd58c38f950fa786f88c654f7daf9179023a084468a8575844db7edc67f3b6b7a43d7a11b9896619703c784f3d0665e1ea5811ce6ff28

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
473030f0c4c1ad124616902b364d422f

SHA1
9dfe4b0ee3ed75cb55f9909256e08f241b2cdf77

SHA256
802715f2799d8ac4c5587619ba598638df32e5473838c2910ec36041b506a84e

SHA512
5142d4ad4711307843612b6e36feed800bf75465e196e668f215124f7b857fecfd4118eadee29e51a97519f3f6ced174e95d4e9fe12b84b47f148015717a9aca

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d0bbd2b53902b7aa1283db6e257fc2d1

SHA1
698c40dc013a28367ca1ed0c3a852da415943ad4

SHA256
08606e786a74c92f583f3477427299d4d407b3ec4df781ae9bf7cfe3f95127e8

SHA512
397c497199d9ec542c1786f7120d417267b03c911e501235047b4525b1af8842866670c77e6202bab50f1acd32b483c73e63f31bb96b18af943cebd90fdb9f31

Download Submit
memory/380-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/928-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/928-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/928-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/928-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1396-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1980-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1980-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2020-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2432-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4436-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4436-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4436-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4436-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download