neconyd | 05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
Size

96KB
MD5

987c54fdd083d17c17554d5be2d45b50
SHA1

cfea6bab95d0b94863a475ad95ed9c9c19fc64a6
SHA256

05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6
SHA512

63a2a73a4cae5582d98c78ec5bc58f8dcc90abe83a042a3553766abe3a479fea5a0b9155a9dbfc3853b10e3ad2a2baf7e3fde38f96a6844cca78e8da275da8d8
SSDEEP

1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:zGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4800	omsecor.exe
3256	omsecor.exe
4160	omsecor.exe
4304	omsecor.exe
2020	omsecor.exe
2060	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3512 set thread context of 1604	3512	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	83
PID 4800 set thread context of 3256	4800	omsecor.exe	88
PID 4160 set thread context of 4304	4160	omsecor.exe	109
PID 2020 set thread context of 2060	2020	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
208	3512	WerFault.exe	82
3000	4800	WerFault.exe	86
4780	4160	WerFault.exe	108
2324	2020	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 1604	3512	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	83
PID 3512 wrote to memory of 1604	3512	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	83
PID 3512 wrote to memory of 1604	3512	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	83
PID 3512 wrote to memory of 1604	3512	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	83
PID 3512 wrote to memory of 1604	3512	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	83
PID 1604 wrote to memory of 4800	1604	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	86
PID 1604 wrote to memory of 4800	1604	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	86
PID 1604 wrote to memory of 4800	1604	05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe	86
PID 4800 wrote to memory of 3256	4800	omsecor.exe	88
PID 4800 wrote to memory of 3256	4800	omsecor.exe	88
PID 4800 wrote to memory of 3256	4800	omsecor.exe	88
PID 4800 wrote to memory of 3256	4800	omsecor.exe	88
PID 4800 wrote to memory of 3256	4800	omsecor.exe	88
PID 3256 wrote to memory of 4160	3256	omsecor.exe	108
PID 3256 wrote to memory of 4160	3256	omsecor.exe	108
PID 3256 wrote to memory of 4160	3256	omsecor.exe	108
PID 4160 wrote to memory of 4304	4160	omsecor.exe	109
PID 4160 wrote to memory of 4304	4160	omsecor.exe	109
PID 4160 wrote to memory of 4304	4160	omsecor.exe	109
PID 4160 wrote to memory of 4304	4160	omsecor.exe	109
PID 4160 wrote to memory of 4304	4160	omsecor.exe	109
PID 4304 wrote to memory of 2020	4304	omsecor.exe	111
PID 4304 wrote to memory of 2020	4304	omsecor.exe	111
PID 4304 wrote to memory of 2020	4304	omsecor.exe	111
PID 2020 wrote to memory of 2060	2020	omsecor.exe	113
PID 2020 wrote to memory of 2060	2020	omsecor.exe	113
PID 2020 wrote to memory of 2060	2020	omsecor.exe	113
PID 2020 wrote to memory of 2060	2020	omsecor.exe	113
PID 2020 wrote to memory of 2060	2020	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
"C:\Users\Admin\AppData\Local\Temp\05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\AppData\Local\Temp\05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
  C:\Users\Admin\AppData\Local\Temp\05795e6f19d86540deee50ed78b0fb586e4df85da14b5fa4d0e547ac6bbe16c6N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3256
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4160
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 256
        8⤵
        Program crash
        
        PID:2324
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 292
        6⤵
        Program crash
        
        PID:4780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 300
      4⤵
      Program crash
      PID:3000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 288
  2⤵
  - Program crash
  PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3512 -ip 3512
1⤵
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4800 -ip 4800
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4160 -ip 4160
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2020 -ip 2020
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e5032e75a62d332da4523d15fbefb59e

SHA1
4557f1130b7289ed9d76e3592fb034adb12c454e

SHA256
5b8584b1c872c378312e35a68a2530e5dc517f78d61279e56b8eb941c8738062

SHA512
2720fc4e020419e5a1687bd1abf6963bbfb469d2da5ba569d9ee630d1e2501272fe2a0bf085e3706ed3580a67954612ec36cc942816ea091c24297a5191cd222

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
44f6debd2a0283facf0487a88215151b

SHA1
3cdc00b36882138c90df0cd19968b90d81a7f134

SHA256
a458ed20f996d2e5a7eac7fe28337b6eb56f2b6b7672e7d0a22e95129aeb7395

SHA512
bf5b3bb00cd7d2900966c881089ad621151d900f140b26410621fdc8196138739a801cafef9475946c32b244e17411c9e95e0a26b34512cab1a60a9a0dee38c1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
1403173b2764b2e250c24ae19ea99a65

SHA1
ff62d85648d89e30966085a9107ee87b1dc0a074

SHA256
7b718aab67d9d05f5bd693c0ed5967cd53c65d67e3b94a93e5c7efdca2513481

SHA512
019a6c572ba01544bafac992ec837e011d1df763596d9c7a9eb6c3fed623c4e049396ac6a1e3f63317054c2c3abbe351005e29320cc74093d9140fbe8491be27

Download Submit
memory/1604-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2060-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2060-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3256-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3256-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3256-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3256-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3256-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3256-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3256-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3512-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3512-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4160-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4160-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4304-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4304-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4304-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4800-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4800-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download