neconyd | 9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780e

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
Size

134KB
MD5

acd5d87e072e2b397b32af9114ca7e60
SHA1

2df8835eb662dfa19af62d7bebfe042ef5e9ff62
SHA256

9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780e
SHA512

309ee57f5c28455aad2acf00720bbcf9b97947ab0434c18175b8fbd81546e31fcfef29cb7f0ec68947f83fa4b5aa3f5e4748279546a0ed717d92fbaa1bf46d8b
SSDEEP

1536:ADfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiH:2iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2360	omsecor.exe
2228	omsecor.exe
3528	omsecor.exe
3500	omsecor.exe
3672	omsecor.exe
1476	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4308 set thread context of 5076	4308	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	83
PID 2360 set thread context of 2228	2360	omsecor.exe	87
PID 3528 set thread context of 3500	3528	omsecor.exe	108
PID 3672 set thread context of 1476	3672	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3656	4308	WerFault.exe	82
3112	2360	WerFault.exe	85
440	3528	WerFault.exe	107
1884	3672	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 5076	4308	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	83
PID 4308 wrote to memory of 5076	4308	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	83
PID 4308 wrote to memory of 5076	4308	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	83
PID 4308 wrote to memory of 5076	4308	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	83
PID 4308 wrote to memory of 5076	4308	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	83
PID 5076 wrote to memory of 2360	5076	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	85
PID 5076 wrote to memory of 2360	5076	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	85
PID 5076 wrote to memory of 2360	5076	9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe	85
PID 2360 wrote to memory of 2228	2360	omsecor.exe	87
PID 2360 wrote to memory of 2228	2360	omsecor.exe	87
PID 2360 wrote to memory of 2228	2360	omsecor.exe	87
PID 2360 wrote to memory of 2228	2360	omsecor.exe	87
PID 2360 wrote to memory of 2228	2360	omsecor.exe	87
PID 2228 wrote to memory of 3528	2228	omsecor.exe	107
PID 2228 wrote to memory of 3528	2228	omsecor.exe	107
PID 2228 wrote to memory of 3528	2228	omsecor.exe	107
PID 3528 wrote to memory of 3500	3528	omsecor.exe	108
PID 3528 wrote to memory of 3500	3528	omsecor.exe	108
PID 3528 wrote to memory of 3500	3528	omsecor.exe	108
PID 3528 wrote to memory of 3500	3528	omsecor.exe	108
PID 3528 wrote to memory of 3500	3528	omsecor.exe	108
PID 3500 wrote to memory of 3672	3500	omsecor.exe	110
PID 3500 wrote to memory of 3672	3500	omsecor.exe	110
PID 3500 wrote to memory of 3672	3500	omsecor.exe	110
PID 3672 wrote to memory of 1476	3672	omsecor.exe	112
PID 3672 wrote to memory of 1476	3672	omsecor.exe	112
PID 3672 wrote to memory of 1476	3672	omsecor.exe	112
PID 3672 wrote to memory of 1476	3672	omsecor.exe	112
PID 3672 wrote to memory of 1476	3672	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
"C:\Users\Admin\AppData\Local\Temp\9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
  C:\Users\Admin\AppData\Local\Temp\9294fb94816f3b110fecfb0f30cada9138fa136ed3c93ef0be5fab11d753780eN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3528
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 268
        8⤵
        Program crash
        
        PID:1884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 292
        6⤵
        Program crash
        
        PID:440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 288
      4⤵
      Program crash
      PID:3112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 300
  2⤵
  - Program crash
  PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4308 -ip 4308
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2360 -ip 2360
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3528 -ip 3528
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3672 -ip 3672
1⤵
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
b8ff22257262b66fd56bf2dc59305fd0

SHA1
a31582634558e8cd0271ad469f302ed80803c8c0

SHA256
80b7449a96dd0d9100d7f13b514d73343ab9c71680f2312843f4c0c0a0588da3

SHA512
70d7d730272e76c9d0a22fc729d515c351524b4ddc1726c20057f7d2107e5e5b5a6b525f3cb2a4550fc94dd44cc7c6ecead709c101101aa8a47e8b6601a00b40

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
5ce68c76263d053570d82c464d614efb

SHA1
d7eee01a17e897412e626c97cc0c8f5696562cc1

SHA256
ad1a630e2f4e71590b2c4a48c3fd03844c9475f8112d0aa2aa7ffca20dd5ac88

SHA512
78f3d9a815802f4a602173940dbb237f00870834376c8af5ce180df28f8129fcf6dd447afc6e95a3ade3dffcdfea06cd6ee044048e6207b4f221d4c8d5d799aa

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
f6b8950bd083b8ca71344d4df9181bb1

SHA1
8130c7b6a015b8f4ada2d6cf0a07d8055b201a26

SHA256
ac81c36ca6666d4e9458543a5a51240c63666ee0135e078f8b828f8d941b494d

SHA512
38e398e108ab45b2b1e8196e5c21a89ce18b4c208d6e99a083cd67559016052c298f985892b6e6729c7a3ac984b687f58aea855067c65bf838a17a4d6dfb6b57

Download Submit
memory/1476-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1476-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1476-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3500-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3528-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3528-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3672-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3672-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4308-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4308-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5076-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5076-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5076-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5076-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download