neconyd | 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
Size

96KB
MD5

8cf5d2de5a442b238701e0c509d5dbed
SHA1

5621535b5949f5ab0b93de04939da73d4efb3720
SHA256

33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b
SHA512

aec251a989d46f3cb7949574b0c46dce0ca003bab515c8b5cae44442411f0deb5d857ebe3a754439ef4aec15287c9367467c799fbeeb01a6216a58e4cbdba35c
SSDEEP

1536:7nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:7Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3824	omsecor.exe
3552	omsecor.exe
3348	omsecor.exe
1936	omsecor.exe
1568	omsecor.exe
3604	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4912 set thread context of 720	4912	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	82
PID 3824 set thread context of 3552	3824	omsecor.exe	86
PID 3348 set thread context of 1936	3348	omsecor.exe	100
PID 1568 set thread context of 3604	1568	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2632	3824	WerFault.exe	84
4676	4912	WerFault.exe	81
2680	3348	WerFault.exe	99
3216	1568	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 720	4912	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	82
PID 4912 wrote to memory of 720	4912	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	82
PID 4912 wrote to memory of 720	4912	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	82
PID 4912 wrote to memory of 720	4912	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	82
PID 4912 wrote to memory of 720	4912	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	82
PID 720 wrote to memory of 3824	720	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	84
PID 720 wrote to memory of 3824	720	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	84
PID 720 wrote to memory of 3824	720	33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe	84
PID 3824 wrote to memory of 3552	3824	omsecor.exe	86
PID 3824 wrote to memory of 3552	3824	omsecor.exe	86
PID 3824 wrote to memory of 3552	3824	omsecor.exe	86
PID 3824 wrote to memory of 3552	3824	omsecor.exe	86
PID 3824 wrote to memory of 3552	3824	omsecor.exe	86
PID 3552 wrote to memory of 3348	3552	omsecor.exe	99
PID 3552 wrote to memory of 3348	3552	omsecor.exe	99
PID 3552 wrote to memory of 3348	3552	omsecor.exe	99
PID 3348 wrote to memory of 1936	3348	omsecor.exe	100
PID 3348 wrote to memory of 1936	3348	omsecor.exe	100
PID 3348 wrote to memory of 1936	3348	omsecor.exe	100
PID 3348 wrote to memory of 1936	3348	omsecor.exe	100
PID 3348 wrote to memory of 1936	3348	omsecor.exe	100
PID 1936 wrote to memory of 1568	1936	omsecor.exe	102
PID 1936 wrote to memory of 1568	1936	omsecor.exe	102
PID 1936 wrote to memory of 1568	1936	omsecor.exe	102
PID 1568 wrote to memory of 3604	1568	omsecor.exe	103
PID 1568 wrote to memory of 3604	1568	omsecor.exe	103
PID 1568 wrote to memory of 3604	1568	omsecor.exe	103
PID 1568 wrote to memory of 3604	1568	omsecor.exe	103
PID 1568 wrote to memory of 3604	1568	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
"C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
  C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3552
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3348
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 268
        8⤵
        Program crash
        
        PID:3216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 296
        6⤵
        Program crash
        
        PID:2680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 300
      4⤵
      Program crash
      PID:2632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 288
  2⤵
  - Program crash
  PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4912 -ip 4912
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3824 -ip 3824
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3348 -ip 3348
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1568 -ip 1568
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b1daa022752bc7c934f032e0491e8b3e

SHA1
6d6cd427dada04efd0bbb05780099fa7564838a1

SHA256
aeb4be332e78dec9e46ffbf2aca6b40b63ac229546612af6ad2abffaa405b636

SHA512
a7aaaffb35d163102d5dfbd7f5fdf87c604c70a3d24b83b00f4add19e638f5c53b3e3d2a316d77b8f927c275164303ff047e5c0bc204606cf3b6d4ed48455535

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e6582fd2a53dd0fd69a510709218210c

SHA1
9d0785aab0572c6ad1f2c4ac05964cc3fde5b90c

SHA256
2eefc66a4a30098447bae464b94a2ec1a8069309a2ac724dfa6146b9a00d7e5b

SHA512
2e06bff8aa7a850336edc1ef3ce4cf7e11a776643c6bfd2999fbc5a06b1bdfc54ad7521b04fc240664e58c5e7a3c7f8eae907d56bb739e1dceac181771a180ae

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
02950fb0211156d9109adef3f744ed2c

SHA1
9643dddc77e86d7a4383f3ea381b0954309b8a73

SHA256
e82aa1f506283372f833463811548969911d1b6c82620588697d6b5abd1ac6f9

SHA512
e85f4fc8031670d96be81960d7323b2e8756f579c9bfa97f7b68e2712a5e058716e7da5da251536fd422f56ee6fa3c98d8daba19dd3b5a230f75bb9792fb0a6c

Download Submit
memory/720-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/720-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/720-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/720-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1568-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1936-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1936-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1936-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3348-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3348-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3552-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3604-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3604-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3604-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3604-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3824-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3824-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4912-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4912-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download