neconyd | dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe
Size

96KB
MD5

6265f95b5751682f1cf51e2acbf42108
SHA1

1a92795b59ed886e299a84b5f1c6d179a7f9fda5
SHA256

dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7
SHA512

4614dc6c42a212b50e3fe839f9fbd2197fe34cb92e1c053506cb7f13087f8c16c35c2a4b1171d9cba76d8d815ed4605076452ae5af01b1c378a62e39e4c15c4b
SSDEEP

1536:xnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:xGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2304	omsecor.exe
1696	omsecor.exe
2096	omsecor.exe
2316	omsecor.exe
4716	omsecor.exe
1384	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 392 set thread context of 1068	392	dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe	82
PID 2304 set thread context of 1696	2304	omsecor.exe	87
PID 2096 set thread context of 2316	2096	omsecor.exe	100
PID 4716 set thread context of 1384	4716	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1032	392	WerFault.exe	81
4016	2304	WerFault.exe	84
4952	2096	WerFault.exe	99
1104	4716	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 1068	392	dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe	82
PID 392 wrote to memory of 1068	392	dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe	82
PID 392 wrote to memory of 1068	392	dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe	82
PID 392 wrote to memory of 1068	392	dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe	82
PID 392 wrote to memory of 1068	392	dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe	82
PID 1068 wrote to memory of 2304	1068	dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe	84
PID 1068 wrote to memory of 2304	1068	dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe	84
PID 1068 wrote to memory of 2304	1068	dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe	84
PID 2304 wrote to memory of 1696	2304	omsecor.exe	87
PID 2304 wrote to memory of 1696	2304	omsecor.exe	87
PID 2304 wrote to memory of 1696	2304	omsecor.exe	87
PID 2304 wrote to memory of 1696	2304	omsecor.exe	87
PID 2304 wrote to memory of 1696	2304	omsecor.exe	87
PID 1696 wrote to memory of 2096	1696	omsecor.exe	99
PID 1696 wrote to memory of 2096	1696	omsecor.exe	99
PID 1696 wrote to memory of 2096	1696	omsecor.exe	99
PID 2096 wrote to memory of 2316	2096	omsecor.exe	100
PID 2096 wrote to memory of 2316	2096	omsecor.exe	100
PID 2096 wrote to memory of 2316	2096	omsecor.exe	100
PID 2096 wrote to memory of 2316	2096	omsecor.exe	100
PID 2096 wrote to memory of 2316	2096	omsecor.exe	100
PID 2316 wrote to memory of 4716	2316	omsecor.exe	102
PID 2316 wrote to memory of 4716	2316	omsecor.exe	102
PID 2316 wrote to memory of 4716	2316	omsecor.exe	102
PID 4716 wrote to memory of 1384	4716	omsecor.exe	104
PID 4716 wrote to memory of 1384	4716	omsecor.exe	104
PID 4716 wrote to memory of 1384	4716	omsecor.exe	104
PID 4716 wrote to memory of 1384	4716	omsecor.exe	104
PID 4716 wrote to memory of 1384	4716	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe
"C:\Users\Admin\AppData\Local\Temp\dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe
  C:\Users\Admin\AppData\Local\Temp\dc8638a995ef9800aae48a3a82ad44044a944229352cc366c1db73d9380f0ac7.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 268
        8⤵
        Program crash
        
        PID:1104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 292
        6⤵
        Program crash
        
        PID:4952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 300
      4⤵
      Program crash
      PID:4016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 300
  2⤵
  - Program crash
  PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 392 -ip 392
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2304 -ip 2304
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2096 -ip 2096
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4716 -ip 4716
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9ade5a53ecce1e17219b4c969d34b375

SHA1
23b5820690655053ddd62479a80c05b14353978f

SHA256
74c9c09f16f6ad9c5fc1a33e46b69f92376e9ada28b73873b37977c6834ceb3e

SHA512
baa886f5700dd1f52acac4948ebb83f8e877d13d9d69d46f4ba58450f63a7b15d7c03eeec3a39b52e6c12587a0879e1fb2b0c2aab8159477e3f6d4803f52e983

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c7c47a004eb060f5a0cc1fda7b78e9d9

SHA1
8ff3b25b85402f6c5b7009655419da2615c8ba5c

SHA256
6b602921fe6ba928bb6fa63287bf293280a23f637eef3b7da9d1a7d36c59c3cf

SHA512
c4232b41e51e1f450ea95fe1f71f902c354f822c68cd695d11505ae5e7be1985084d082b821ec272d86c845e7186b6a984430e47dbde02c12ad066de84707a5f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
35be527d062e21c830f18e190dfbfcc9

SHA1
1f13f01c9151b9aac7c458ee4e7d34216328aa39

SHA256
e6f8aa23a45be32d47df71a34fe336bd66d4c86e0956e40f006de9058129b5a5

SHA512
28d72307e590db27d9c8566dc2fad947e94e6654184cc4e2c11489fabdacd0dbecfeb37afa2749c0c659353773dcacb4f4c017a403c9a1f3bb6861feb841d482

Download Submit
memory/392-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/392-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1068-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1068-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1068-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1068-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1384-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1384-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1384-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1384-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2096-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2304-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2304-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2316-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2316-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2316-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4716-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download