neconyd | 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2025, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
Size

96KB
MD5

91de4d3077d1c1beab2298acba54cab6
SHA1

ae455abf836a7955ec04d529f99fe68e10556d6d
SHA256

7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1
SHA512

d655e8c4b8164bf5d6366839be8dd22e3949ffe2edd61607134f8c0b0c8f7f518c1f03bf01f5593c3160a93296afa717a6dff9ac7518331be46776c6c496b9d4
SSDEEP

1536:vnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:vGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2896	omsecor.exe
3080	omsecor.exe
2468	omsecor.exe
1576	omsecor.exe
876	omsecor.exe
712	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 3908	2056	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	82
PID 2896 set thread context of 3080	2896	omsecor.exe	87
PID 2468 set thread context of 1576	2468	omsecor.exe	100
PID 876 set thread context of 712	876	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4232	2056	WerFault.exe	81
3600	2896	WerFault.exe	85
4672	2468	WerFault.exe	99
3660	876	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 3908	2056	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	82
PID 2056 wrote to memory of 3908	2056	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	82
PID 2056 wrote to memory of 3908	2056	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	82
PID 2056 wrote to memory of 3908	2056	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	82
PID 2056 wrote to memory of 3908	2056	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	82
PID 3908 wrote to memory of 2896	3908	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	85
PID 3908 wrote to memory of 2896	3908	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	85
PID 3908 wrote to memory of 2896	3908	7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe	85
PID 2896 wrote to memory of 3080	2896	omsecor.exe	87
PID 2896 wrote to memory of 3080	2896	omsecor.exe	87
PID 2896 wrote to memory of 3080	2896	omsecor.exe	87
PID 2896 wrote to memory of 3080	2896	omsecor.exe	87
PID 2896 wrote to memory of 3080	2896	omsecor.exe	87
PID 3080 wrote to memory of 2468	3080	omsecor.exe	99
PID 3080 wrote to memory of 2468	3080	omsecor.exe	99
PID 3080 wrote to memory of 2468	3080	omsecor.exe	99
PID 2468 wrote to memory of 1576	2468	omsecor.exe	100
PID 2468 wrote to memory of 1576	2468	omsecor.exe	100
PID 2468 wrote to memory of 1576	2468	omsecor.exe	100
PID 2468 wrote to memory of 1576	2468	omsecor.exe	100
PID 2468 wrote to memory of 1576	2468	omsecor.exe	100
PID 1576 wrote to memory of 876	1576	omsecor.exe	102
PID 1576 wrote to memory of 876	1576	omsecor.exe	102
PID 1576 wrote to memory of 876	1576	omsecor.exe	102
PID 876 wrote to memory of 712	876	omsecor.exe	104
PID 876 wrote to memory of 712	876	omsecor.exe	104
PID 876 wrote to memory of 712	876	omsecor.exe	104
PID 876 wrote to memory of 712	876	omsecor.exe	104
PID 876 wrote to memory of 712	876	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
"C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
  C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 268
        8⤵
        Program crash
        
        PID:3660
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 292
        6⤵
        Program crash
        
        PID:4672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 300
      4⤵
      Program crash
      PID:3600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 296
  2⤵
  - Program crash
  PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2056 -ip 2056
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2896 -ip 2896
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2468 -ip 2468
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 876 -ip 876
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ed3abde2e6492399e88a0d1e78db5f6e

SHA1
df95dc805773beb2a478e0f6555abb163f8856db

SHA256
8e9a6e822a80aa3c140fcbd41b4618357c3f04ad4a8a27045032ace2e0d43326

SHA512
1740b36e59b513b8b2c5086dc486d986d58a10bc2029940b464955a1b031cbbe5aaba723901fb0b233c5258a37624ebf312205bcd73b776f1f861f3651be8f5a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a917b9eece10e40f46ceded24557a52d

SHA1
06b3270e31c8642d941cc0540079a7fd095e6547

SHA256
69d04ebd8aa9f71a5db05b7e62bd9781423c5fc0302f0734d7cd8cc9b1a203b5

SHA512
9617a91563c29c336e9d1339b06e9de54938ef04a92de365a1f3bf6fd41f890b1c474713f726224a51cdbd7c7a5ce4201a26ba16383dd6ae8ac911b893f06405

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b55b713e6010d86e40a45ba16389704e

SHA1
45488e55c6dcadc1eff796d099d00d72bfdc3a67

SHA256
204ea023c3071beec86d960a8126ceaec6eba6e314355db76c1c6c578bb0208e

SHA512
88193c83f100ac9e1585980f4614cc2dade31657b69547b4c8f38cfdb0e70c20f75c7cd24671b96dbb09ad9edbfb724f811f8b34814f4dece8073d649682e907

Download Submit
memory/712-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/712-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/712-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/712-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/876-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/876-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1576-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1576-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1576-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2056-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2056-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2468-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2468-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2896-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3080-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3080-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3080-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3080-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3080-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3080-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3080-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3908-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3908-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3908-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3908-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download