neconyd | b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
Size

96KB
MD5

6389bc155ba269a9096dac1d22b6643d
SHA1

b7223ece46cc54483d352f48dff04959596cbd9a
SHA256

b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188
SHA512

ef4e28f551d352944f9481bb53bd543752c199f65fc6b0b2dd0513090023d22fe177dda38a7ee4149fe0f53fbbd835f75e230db510a6a9d57118e9247366afc7
SSDEEP

1536:TnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:TGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2716	omsecor.exe
3432	omsecor.exe
1568	omsecor.exe
412	omsecor.exe
4956	omsecor.exe
4668	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 8 set thread context of 4928	8	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	82
PID 2716 set thread context of 3432	2716	omsecor.exe	86
PID 1568 set thread context of 412	1568	omsecor.exe	100
PID 4956 set thread context of 4668	4956	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4544	2716	WerFault.exe	84
2148	8	WerFault.exe	81
4596	1568	WerFault.exe	99
812	4956	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 4928	8	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	82
PID 8 wrote to memory of 4928	8	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	82
PID 8 wrote to memory of 4928	8	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	82
PID 8 wrote to memory of 4928	8	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	82
PID 8 wrote to memory of 4928	8	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	82
PID 4928 wrote to memory of 2716	4928	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	84
PID 4928 wrote to memory of 2716	4928	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	84
PID 4928 wrote to memory of 2716	4928	b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe	84
PID 2716 wrote to memory of 3432	2716	omsecor.exe	86
PID 2716 wrote to memory of 3432	2716	omsecor.exe	86
PID 2716 wrote to memory of 3432	2716	omsecor.exe	86
PID 2716 wrote to memory of 3432	2716	omsecor.exe	86
PID 2716 wrote to memory of 3432	2716	omsecor.exe	86
PID 3432 wrote to memory of 1568	3432	omsecor.exe	99
PID 3432 wrote to memory of 1568	3432	omsecor.exe	99
PID 3432 wrote to memory of 1568	3432	omsecor.exe	99
PID 1568 wrote to memory of 412	1568	omsecor.exe	100
PID 1568 wrote to memory of 412	1568	omsecor.exe	100
PID 1568 wrote to memory of 412	1568	omsecor.exe	100
PID 1568 wrote to memory of 412	1568	omsecor.exe	100
PID 1568 wrote to memory of 412	1568	omsecor.exe	100
PID 412 wrote to memory of 4956	412	omsecor.exe	102
PID 412 wrote to memory of 4956	412	omsecor.exe	102
PID 412 wrote to memory of 4956	412	omsecor.exe	102
PID 4956 wrote to memory of 4668	4956	omsecor.exe	103
PID 4956 wrote to memory of 4668	4956	omsecor.exe	103
PID 4956 wrote to memory of 4668	4956	omsecor.exe	103
PID 4956 wrote to memory of 4668	4956	omsecor.exe	103
PID 4956 wrote to memory of 4668	4956	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
"C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
  C:\Users\Admin\AppData\Local\Temp\b8bd75724e9fb513d307611d68283fac3e402597ecae46726af3aa300aee6188.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 268
        8⤵
        Program crash
        
        PID:812
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 292
        6⤵
        Program crash
        
        PID:4596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 300
      4⤵
      Program crash
      PID:4544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 288
  2⤵
  - Program crash
  PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8 -ip 8
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2716 -ip 2716
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1568 -ip 1568
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4956 -ip 4956
1⤵
PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
fadc4d58b012cf03798960a12b537a2a

SHA1
5ebc3da91b793c81e4f6e037d4c59843801026fb

SHA256
b23a4255975c58a98ba8bcfefcb196ea4ec7914ce8367f12b719abf3a292bd12

SHA512
abc40777fd75bcd283825cb635a939424f5c6260553ad0e7d70a233497c3c6daeee27cce01da4bccbd7c328ee78ff2aef2373e4efcdcd4c3c94afe3eebfbe3b2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
55909657b40da99b0ed528a78b8d8352

SHA1
312537908fbb9f7f9ec739bda022dfe6ec8bd5cb

SHA256
8fa55f6341c69d7d644d4de2ddf2d98882095a04f71afedf7b2686446ddc0fcb

SHA512
bf0b32ffe5ed9d0a10dd55d8f29934bc56ec48c05b7821d6af6441cf99d3811821276d42916dae2fa1d1fa8d95e15563a389923397bcf973107a0e8c0f89e245

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
6f8a05dd7b411ca4bd90165b1612a2e7

SHA1
97afb57785de101bd319d0ea4b61ac8beeb6b61a

SHA256
8f46b6032be9ca61c4f4d17706d0c0226b632908ecb43d386f48ed06dcd9267e

SHA512
f0abbd7c58680d98006fe4ed9133ab2b653a515a9263e52afc9fb6f08cc21854ebd48cb55ad0eef4b266a6fcae7fe57680be730d8621d8b0d2a18d4509409f1e

Download Submit
memory/8-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/8-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/412-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/412-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/412-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1568-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1568-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2716-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2716-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3432-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3432-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3432-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3432-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3432-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3432-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3432-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4668-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4668-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4668-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4668-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4928-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4928-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4928-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4928-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4956-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download