neconyd | 93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19

Analysis

max time kernel
117s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
Size

96KB
MD5

7cf5710b6312198f6ba4c3c03656deb0
SHA1

043d29d59d239d30ddc7573df9bf7ce99d2d3369
SHA256

93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19
SHA512

77487984acede01d4c3fb74dbcbb097898ed351747c3b5173dbad9f763d7689f8cfed4ace9bd47d00e439325d166f61c032df1f279c5b2e955babd3bccbc6645
SSDEEP

1536:KnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:KGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4200	omsecor.exe
1692	omsecor.exe
3536	omsecor.exe
1672	omsecor.exe
2904	omsecor.exe
2680	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 4812	1900	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	83
PID 4200 set thread context of 1692	4200	omsecor.exe	87
PID 3536 set thread context of 1672	3536	omsecor.exe	109
PID 2904 set thread context of 2680	2904	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3644	1900	WerFault.exe	82
3504	4200	WerFault.exe	85
4864	3536	WerFault.exe	108
3012	2904	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 4812	1900	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	83
PID 1900 wrote to memory of 4812	1900	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	83
PID 1900 wrote to memory of 4812	1900	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	83
PID 1900 wrote to memory of 4812	1900	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	83
PID 1900 wrote to memory of 4812	1900	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	83
PID 4812 wrote to memory of 4200	4812	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	85
PID 4812 wrote to memory of 4200	4812	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	85
PID 4812 wrote to memory of 4200	4812	93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe	85
PID 4200 wrote to memory of 1692	4200	omsecor.exe	87
PID 4200 wrote to memory of 1692	4200	omsecor.exe	87
PID 4200 wrote to memory of 1692	4200	omsecor.exe	87
PID 4200 wrote to memory of 1692	4200	omsecor.exe	87
PID 4200 wrote to memory of 1692	4200	omsecor.exe	87
PID 1692 wrote to memory of 3536	1692	omsecor.exe	108
PID 1692 wrote to memory of 3536	1692	omsecor.exe	108
PID 1692 wrote to memory of 3536	1692	omsecor.exe	108
PID 3536 wrote to memory of 1672	3536	omsecor.exe	109
PID 3536 wrote to memory of 1672	3536	omsecor.exe	109
PID 3536 wrote to memory of 1672	3536	omsecor.exe	109
PID 3536 wrote to memory of 1672	3536	omsecor.exe	109
PID 3536 wrote to memory of 1672	3536	omsecor.exe	109
PID 1672 wrote to memory of 2904	1672	omsecor.exe	111
PID 1672 wrote to memory of 2904	1672	omsecor.exe	111
PID 1672 wrote to memory of 2904	1672	omsecor.exe	111
PID 2904 wrote to memory of 2680	2904	omsecor.exe	112
PID 2904 wrote to memory of 2680	2904	omsecor.exe	112
PID 2904 wrote to memory of 2680	2904	omsecor.exe	112
PID 2904 wrote to memory of 2680	2904	omsecor.exe	112
PID 2904 wrote to memory of 2680	2904	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
"C:\Users\Admin\AppData\Local\Temp\93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
  C:\Users\Admin\AppData\Local\Temp\93e7cc7e87b8f8ea1669d3c349bf5f2a704596aa1694ee24e6b39f01f3168f19N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3536
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 268
        8⤵
        Program crash
        
        PID:3012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 292
        6⤵
        Program crash
        
        PID:4864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 276
      4⤵
      Program crash
      PID:3504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 288
  2⤵
  - Program crash
  PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1900 -ip 1900
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4200 -ip 4200
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3536 -ip 3536
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2904 -ip 2904
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
663c207e0f63cad3c8bc50846319d865

SHA1
36b43347564bece1f8e9dd657fedd996c1a3c3df

SHA256
4a01b77c6e62312bf6c96d1b2ae45d22e7b0fda6fb8cd6c8bcab06c48e964a09

SHA512
b2ab36833024a90f3b44230d186e13e0b259834a60cacf43d7b1b1edb0d5d72e77388fa3e1aaa0299ce30e6405cae26cee2c89a144362e3b9b3c7dae49d78fb8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7e8ca65ee1b577524e4e09cf5e899864

SHA1
c99a59ad46b22b11a55776306a83b790ea0a3adb

SHA256
fb630745f04e0e7481e3a695f116d242e3241a7c97cf03388a4c3fba67614f0e

SHA512
455f31537f77c1b29367200f4005d4da9c9439efbeb029bb6b554cd784b480490eff9faf0d5e472ac140cce08f9f76109874061f91c8bd241cded94eca538f1f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b751f9b257b30f0d1809e8294f3f5863

SHA1
b8701c3aebdaea36664e3b8cf7d2d2a9b51829c1

SHA256
3a1d6ec3d0474cbd20a58e1ada61525be86a2ce6d077ba0c33c00dbcbb4623dd

SHA512
d3a0ffd5b5dd5cb537ab43e13b51f2c05dc32a19b0fdfd4280c05dff7a50d5d958f25859ecb3c8101c5cee7fc2270f785535875cf80947c841eb25479932e4e0

Download Submit
memory/1672-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1672-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1672-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1692-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1692-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1692-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1692-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1692-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1692-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1692-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1900-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1900-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2680-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2904-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3536-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3536-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4200-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4200-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4812-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4812-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4812-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4812-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download