neconyd | f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe
Size

96KB
MD5

3076cf51738ce95e89569894b2fc7b40
SHA1

7d60990e226390257d7627dc0bb21ae491a21391
SHA256

f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e
SHA512

cc311f8be8e08e1b1fbda869352201283671fedadd89b9fd7b9d3af7591d11d0273a1941793e372b948431f4a8170a687148714f2aee3e17824bfbeffc949d10
SSDEEP

1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:EGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4464	omsecor.exe
5036	omsecor.exe
4844	omsecor.exe
3468	omsecor.exe
4892	omsecor.exe
2436	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 2084	3032	f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe	83
PID 4464 set thread context of 5036	4464	omsecor.exe	87
PID 4844 set thread context of 3468	4844	omsecor.exe	107
PID 4892 set thread context of 2436	4892	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4336	4464	WerFault.exe	85
3312	3032	WerFault.exe	82
4616	4844	WerFault.exe	106
3592	4892	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2084	3032	f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe	83
PID 3032 wrote to memory of 2084	3032	f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe	83
PID 3032 wrote to memory of 2084	3032	f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe	83
PID 3032 wrote to memory of 2084	3032	f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe	83
PID 3032 wrote to memory of 2084	3032	f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe	83
PID 2084 wrote to memory of 4464	2084	f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe	85
PID 2084 wrote to memory of 4464	2084	f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe	85
PID 2084 wrote to memory of 4464	2084	f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe	85
PID 4464 wrote to memory of 5036	4464	omsecor.exe	87
PID 4464 wrote to memory of 5036	4464	omsecor.exe	87
PID 4464 wrote to memory of 5036	4464	omsecor.exe	87
PID 4464 wrote to memory of 5036	4464	omsecor.exe	87
PID 4464 wrote to memory of 5036	4464	omsecor.exe	87
PID 5036 wrote to memory of 4844	5036	omsecor.exe	106
PID 5036 wrote to memory of 4844	5036	omsecor.exe	106
PID 5036 wrote to memory of 4844	5036	omsecor.exe	106
PID 4844 wrote to memory of 3468	4844	omsecor.exe	107
PID 4844 wrote to memory of 3468	4844	omsecor.exe	107
PID 4844 wrote to memory of 3468	4844	omsecor.exe	107
PID 4844 wrote to memory of 3468	4844	omsecor.exe	107
PID 4844 wrote to memory of 3468	4844	omsecor.exe	107
PID 3468 wrote to memory of 4892	3468	omsecor.exe	109
PID 3468 wrote to memory of 4892	3468	omsecor.exe	109
PID 3468 wrote to memory of 4892	3468	omsecor.exe	109
PID 4892 wrote to memory of 2436	4892	omsecor.exe	111
PID 4892 wrote to memory of 2436	4892	omsecor.exe	111
PID 4892 wrote to memory of 2436	4892	omsecor.exe	111
PID 4892 wrote to memory of 2436	4892	omsecor.exe	111
PID 4892 wrote to memory of 2436	4892	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe
"C:\Users\Admin\AppData\Local\Temp\f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe
  C:\Users\Admin\AppData\Local\Temp\f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 256
        8⤵
        Program crash
        
        PID:3592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 292
        6⤵
        Program crash
        
        PID:4616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 292
      4⤵
      Program crash
      PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 288
  2⤵
  - Program crash
  PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3032 -ip 3032
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4464 -ip 4464
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4844 -ip 4844
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4892 -ip 4892
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
37cdf847e6425f2f632ed06d85d91e6b

SHA1
b59384d47fcb4cbea02ae2397cd877f55fa62cf4

SHA256
1b441f6a53c198fbae58887f4ddcdc14324e0abefe99afad8c653562b2b03e7b

SHA512
5e9e2aa655b78eec17627accdf161f50fd633d17b58d5ae3b611d5c81328e7fff0b7892232d26976d73927fba288c09b9fc1f020845daad5f6a5b25a88204be7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5380557f87dbdce5df6b891ee51953ca

SHA1
3bf0eb859e6cf123bb090297e8b99fb23580810a

SHA256
cab388cb4ff5ea21173816d2f7f694f83137c0b08ffd51dc20bc3b249173bac6

SHA512
729c20863b1f4dbdadff127e4706d4785e6ac721f50afeafb91ec14ff15a94430b11e225848c06df8af06253c808178ff56b70ac268cbe28c0b90bbfdce229ea

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
20c7d3f62faba13a9d661f41d2634c28

SHA1
1c0351c6f7377765eec4e94cf30ad51a8f406bc0

SHA256
9f99822c01e720336c0871b219230583ff39113e667f21f788fe0e2dd1d029b8

SHA512
4792a96494cb0b56977c1d26b0456ba05e2a499a6fb12dce0752e50da28d25077c3e0b280df8f0029c652d146f7f41be8f4746dfafe2276af731c4f8d9d2bd2b

Download Submit
memory/2084-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2436-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2436-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2436-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2436-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3032-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3032-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3468-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3468-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3468-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4464-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4464-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4844-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4844-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4892-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5036-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5036-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5036-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5036-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5036-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5036-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5036-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download