neconyd | b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
Size

96KB
MD5

6389bc155ba269a9096dac1d22b6643d
SHA1

b7223ece46cc54483d352f48dff04959596cbd9a
SHA256

b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188
SHA512

ef4e28f551d352944f9481bb53bd543752c199f65fc6b0b2dd0513090023d22fe177dda38a7ee4149fe0f53fbbd835f75e230db510a6a9d57118e9247366afc7
SSDEEP

1536:TnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:TGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2076	omsecor.exe
1204	omsecor.exe
2984	omsecor.exe
1216	omsecor.exe
4380	omsecor.exe
3928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4844 set thread context of 2480	4844	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	83
PID 2076 set thread context of 1204	2076	omsecor.exe	88
PID 2984 set thread context of 1216	2984	omsecor.exe	108
PID 4380 set thread context of 3928	4380	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3664	4844	WerFault.exe	82
632	2076	WerFault.exe	86
3192	2984	WerFault.exe	107
2256	4380	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 2480	4844	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	83
PID 4844 wrote to memory of 2480	4844	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	83
PID 4844 wrote to memory of 2480	4844	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	83
PID 4844 wrote to memory of 2480	4844	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	83
PID 4844 wrote to memory of 2480	4844	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	83
PID 2480 wrote to memory of 2076	2480	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	86
PID 2480 wrote to memory of 2076	2480	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	86
PID 2480 wrote to memory of 2076	2480	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	86
PID 2076 wrote to memory of 1204	2076	omsecor.exe	88
PID 2076 wrote to memory of 1204	2076	omsecor.exe	88
PID 2076 wrote to memory of 1204	2076	omsecor.exe	88
PID 2076 wrote to memory of 1204	2076	omsecor.exe	88
PID 2076 wrote to memory of 1204	2076	omsecor.exe	88
PID 1204 wrote to memory of 2984	1204	omsecor.exe	107
PID 1204 wrote to memory of 2984	1204	omsecor.exe	107
PID 1204 wrote to memory of 2984	1204	omsecor.exe	107
PID 2984 wrote to memory of 1216	2984	omsecor.exe	108
PID 2984 wrote to memory of 1216	2984	omsecor.exe	108
PID 2984 wrote to memory of 1216	2984	omsecor.exe	108
PID 2984 wrote to memory of 1216	2984	omsecor.exe	108
PID 2984 wrote to memory of 1216	2984	omsecor.exe	108
PID 1216 wrote to memory of 4380	1216	omsecor.exe	110
PID 1216 wrote to memory of 4380	1216	omsecor.exe	110
PID 1216 wrote to memory of 4380	1216	omsecor.exe	110
PID 4380 wrote to memory of 3928	4380	omsecor.exe	112
PID 4380 wrote to memory of 3928	4380	omsecor.exe	112
PID 4380 wrote to memory of 3928	4380	omsecor.exe	112
PID 4380 wrote to memory of 3928	4380	omsecor.exe	112
PID 4380 wrote to memory of 3928	4380	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
"C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
  C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 256
        8⤵
        Program crash
        
        PID:2256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 292
        6⤵
        Program crash
        
        PID:3192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 288
      4⤵
      Program crash
      PID:632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 288
  2⤵
  - Program crash
  PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4844 -ip 4844
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2076 -ip 2076
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2984 -ip 2984
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4380 -ip 4380
1⤵
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
568265efa57c082d996c1fba35c1b0bc

SHA1
0f67442955268f0ac91c0ebc5a0ccc6c29509a4e

SHA256
daadc581a9e83d30a3762cee747544384916274691f5194af20986f37184ca8f

SHA512
f8300f86f538e01445b1600423b2732e14182a3ddab9d936f840902582aa492e5af04ac6346d99b48b7afc3c2993ffdf6c033cc2f43e1c25fb54563585ea11ac

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
55909657b40da99b0ed528a78b8d8352

SHA1
312537908fbb9f7f9ec739bda022dfe6ec8bd5cb

SHA256
8fa55f6341c69d7d644d4de2ddf2d98882095a04f71afedf7b2686446ddc0fcb

SHA512
bf0b32ffe5ed9d0a10dd55d8f29934bc56ec48c05b7821d6af6441cf99d3811821276d42916dae2fa1d1fa8d95e15563a389923397bcf973107a0e8c0f89e245

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
994dc22c088b5a0a1aa921688e6a2bcc

SHA1
6567b0cfa65e5eb159d054f73e851e009c8ec3b2

SHA256
fe2b5fdcd2a4fe2ebe952fb0fd297a72996429d3cb099f85e31c0b0b38237ce2

SHA512
30c2fd00449c86c0b3a0a66fe1404be682d6761230d2e0217918d8bf76ef64f75f386562b9774e1894af55f8d75d2b2c5a5012e897edf5df083b2fd4c816a893

Download Submit
memory/1204-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1216-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1216-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1216-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2076-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2480-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2984-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3928-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3928-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3928-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3928-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4380-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4380-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4844-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4844-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download