neconyd | 012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe
Size

96KB
MD5

cc333373eb0d0b42df1beb07df2b8695
SHA1

26bd3c3703f6e804f52741ec931c231f18d9dab6
SHA256

012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870
SHA512

cf3fc2074274d6f170f68b2ae6c8a75e77a0d3453f155229e13629aa7a38a0e6f0066e83327d63a1ccb28acbdb7fe6d22e21fd3f510bdb083274ebf17f6afdd8
SSDEEP

1536:tnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:tGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4916	omsecor.exe
4820	omsecor.exe
2804	omsecor.exe
4024	omsecor.exe
4776	omsecor.exe
3964	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4552 set thread context of 4780	4552	012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe	82
PID 4916 set thread context of 4820	4916	omsecor.exe	86
PID 2804 set thread context of 4024	2804	omsecor.exe	100
PID 4776 set thread context of 3964	4776	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2348	4552	WerFault.exe	81
3580	4916	WerFault.exe	84
4648	2804	WerFault.exe	99
1828	4776	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4780	4552	012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe	82
PID 4552 wrote to memory of 4780	4552	012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe	82
PID 4552 wrote to memory of 4780	4552	012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe	82
PID 4552 wrote to memory of 4780	4552	012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe	82
PID 4552 wrote to memory of 4780	4552	012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe	82
PID 4780 wrote to memory of 4916	4780	012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe	84
PID 4780 wrote to memory of 4916	4780	012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe	84
PID 4780 wrote to memory of 4916	4780	012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe	84
PID 4916 wrote to memory of 4820	4916	omsecor.exe	86
PID 4916 wrote to memory of 4820	4916	omsecor.exe	86
PID 4916 wrote to memory of 4820	4916	omsecor.exe	86
PID 4916 wrote to memory of 4820	4916	omsecor.exe	86
PID 4916 wrote to memory of 4820	4916	omsecor.exe	86
PID 4820 wrote to memory of 2804	4820	omsecor.exe	99
PID 4820 wrote to memory of 2804	4820	omsecor.exe	99
PID 4820 wrote to memory of 2804	4820	omsecor.exe	99
PID 2804 wrote to memory of 4024	2804	omsecor.exe	100
PID 2804 wrote to memory of 4024	2804	omsecor.exe	100
PID 2804 wrote to memory of 4024	2804	omsecor.exe	100
PID 2804 wrote to memory of 4024	2804	omsecor.exe	100
PID 2804 wrote to memory of 4024	2804	omsecor.exe	100
PID 4024 wrote to memory of 4776	4024	omsecor.exe	102
PID 4024 wrote to memory of 4776	4024	omsecor.exe	102
PID 4024 wrote to memory of 4776	4024	omsecor.exe	102
PID 4776 wrote to memory of 3964	4776	omsecor.exe	104
PID 4776 wrote to memory of 3964	4776	omsecor.exe	104
PID 4776 wrote to memory of 3964	4776	omsecor.exe	104
PID 4776 wrote to memory of 3964	4776	omsecor.exe	104
PID 4776 wrote to memory of 3964	4776	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe
"C:\Users\Admin\AppData\Local\Temp\012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe
  C:\Users\Admin\AppData\Local\Temp\012e87fea0541eeaab6620cd992bf3be1a86639f383eaf2a2be5f51cc2840870.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 256
        8⤵
        Program crash
        
        PID:1828
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 292
        6⤵
        Program crash
        
        PID:4648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 288
      4⤵
      Program crash
      PID:3580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 292
  2⤵
  - Program crash
  PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4552 -ip 4552
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4916 -ip 4916
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2804 -ip 2804
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4776 -ip 4776
1⤵
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
17e4079e74fceff143f0c019f776a038

SHA1
2270339c9c741582be96ef7f234234ad30542497

SHA256
295a682cdbd3d70d0ce53c05dc467e1659bb97bfed59a9d1bdb3917f99d901c6

SHA512
10c1fa3e5a8d106e572da91362e2be901d38358d206684ef0dc8a2c5d91209b7aca67ba9b67e3dc183ae48500dced5642eb83d32a5174e3c52aa3d017c6f208d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0ccc11868913d7305bac0c611568599d

SHA1
219c20d8207ea9b1d9c0017feed245b20055f0e5

SHA256
45c572298b687ad4d61369d7c821ffe3f3aa3c1137863578daabe838704e1997

SHA512
8799c1dfe300bab7ed9cf2896219a7a6a705153c0e407bf1c72c0f2f65d5a1c2a194bfc563102400028a96ff0d0ea486a43d65c908cae0ad55c2aaad36a1337e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
134e3474be1943c335c9c112246cacf9

SHA1
0680803a53d4a4002a32a0f0529ae02d47939f92

SHA256
61051d645711f6b2130edf7cb68f140cdec5850cc5cfac2aad5e09f37e1a19ea

SHA512
1c7fb08290d4c0f9f1687c76592f7b7ddd7ad74a28960f1511e69be1ab9bce5f4715857caa2a1ead05ce91a6797d026eba6827d26e9234917fe6524331a689c0

Download Submit
memory/2804-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2804-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3964-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3964-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3964-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3964-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4024-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4024-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4024-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4552-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4552-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4776-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4780-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4780-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4780-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4780-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4916-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download