neconyd | d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe
Size

96KB
MD5

471f49e3fe485b7ed02e5a754744f855
SHA1

23b95ccf3e5a579680dad54f63148b1a66d7a0f4
SHA256

d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636
SHA512

bba8483e9704f18381404d1ea94899277bb0c9a5c1dd90725655582674c54d3811b4c4504356611e699c36274d0b75c4e0742b003b65af7126eb840894a041ef
SSDEEP

1536:vnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:vGs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2204	omsecor.exe
2840	omsecor.exe
1252	omsecor.exe
4556	omsecor.exe
2144	omsecor.exe
2100	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 3392	2336	d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe	83
PID 2204 set thread context of 2840	2204	omsecor.exe	88
PID 1252 set thread context of 4556	1252	omsecor.exe	107
PID 2144 set thread context of 2100	2144	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4536	2336	WerFault.exe	82
1512	2204	WerFault.exe	85
764	1252	WerFault.exe	106
776	2144	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 3392	2336	d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe	83
PID 2336 wrote to memory of 3392	2336	d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe	83
PID 2336 wrote to memory of 3392	2336	d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe	83
PID 2336 wrote to memory of 3392	2336	d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe	83
PID 2336 wrote to memory of 3392	2336	d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe	83
PID 3392 wrote to memory of 2204	3392	d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe	85
PID 3392 wrote to memory of 2204	3392	d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe	85
PID 3392 wrote to memory of 2204	3392	d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe	85
PID 2204 wrote to memory of 2840	2204	omsecor.exe	88
PID 2204 wrote to memory of 2840	2204	omsecor.exe	88
PID 2204 wrote to memory of 2840	2204	omsecor.exe	88
PID 2204 wrote to memory of 2840	2204	omsecor.exe	88
PID 2204 wrote to memory of 2840	2204	omsecor.exe	88
PID 2840 wrote to memory of 1252	2840	omsecor.exe	106
PID 2840 wrote to memory of 1252	2840	omsecor.exe	106
PID 2840 wrote to memory of 1252	2840	omsecor.exe	106
PID 1252 wrote to memory of 4556	1252	omsecor.exe	107
PID 1252 wrote to memory of 4556	1252	omsecor.exe	107
PID 1252 wrote to memory of 4556	1252	omsecor.exe	107
PID 1252 wrote to memory of 4556	1252	omsecor.exe	107
PID 1252 wrote to memory of 4556	1252	omsecor.exe	107
PID 4556 wrote to memory of 2144	4556	omsecor.exe	109
PID 4556 wrote to memory of 2144	4556	omsecor.exe	109
PID 4556 wrote to memory of 2144	4556	omsecor.exe	109
PID 2144 wrote to memory of 2100	2144	omsecor.exe	111
PID 2144 wrote to memory of 2100	2144	omsecor.exe	111
PID 2144 wrote to memory of 2100	2144	omsecor.exe	111
PID 2144 wrote to memory of 2100	2144	omsecor.exe	111
PID 2144 wrote to memory of 2100	2144	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe
"C:\Users\Admin\AppData\Local\Temp\d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe
  C:\Users\Admin\AppData\Local\Temp\d250b89085e8576f4e882ef4f376d8c7a2226dc451ccd2ec73e57b924edea636.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 256
        8⤵
        Program crash
        
        PID:776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 292
        6⤵
        Program crash
        
        PID:764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 276
      4⤵
      Program crash
      PID:1512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 288
  2⤵
  - Program crash
  PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2336 -ip 2336
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2204 -ip 2204
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1252 -ip 1252
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2144 -ip 2144
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d2d59ce5b1975057ecd787af12885e60

SHA1
dc2d5078e02c327f680c92a038a2fefb0e617c0e

SHA256
4e5187481b0bff38a6d63d5f4aeca7bed57ac62ae9434f39e97288229dd221c8

SHA512
2aa664806b529e19e6e5ddba47ff3407fd636a7eb949b82dcc8494ce4a7f1692120571ea49940af8936073b446966b9b1222ff9eaef57de8bed98286bbd86e26

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ca5473505aee2ebe76824260fb993d53

SHA1
0eade2fe67b31f7ef7878e6bc2ae0803b907cb3e

SHA256
a607d8bb3600b1be3af91054a8329ecd5840e02103b72b8e895aff77a99a3f7c

SHA512
c2deea8ca874e88059c8bd4d409bf5520da82eb30f8876e8edcf694d52d89eba0967ce8eb5fe906cb8b18aff779c653601dbc40de658f7702500b9016f810b97

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d423d076b7f1fddd6a5575544eb167b1

SHA1
56ec25254e3ecb128cf4337d981bcd0b4b23d2eb

SHA256
34476c925d054185b31eacc24a715e5a34fef3adecf9e724c5b08c8de267a11d

SHA512
9c7170c29adc437af38becd162d75c598e1d9e230ac52335b1c7196e34c7642d6037aae10d62b6a07e2e7ee6756479a843611d03c2549811c2fdd26b8d6a041f

Download Submit
memory/1252-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2100-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2100-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2100-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2204-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2204-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4556-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4556-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4556-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download