neconyd | e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe
Size

134KB
MD5

7f22c9c284b4cb5cca87ad679107e010
SHA1

246f2beb44f05b708b3c102bad5bd2f95b319b43
SHA256

e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead
SHA512

6174a15c772b7868be6ace49cb4a0180a68cfb3968dd241aaa3f0920dabd452f9e5a771cfc9462205e1fbf6af4bc368d2d80e1357814190d3ebabed05d22a3e3
SSDEEP

1536:GDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:4iRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
636	omsecor.exe
2984	omsecor.exe
4940	omsecor.exe
1976	omsecor.exe
4524	omsecor.exe
4012	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4004 set thread context of 1236	4004	e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe	82
PID 636 set thread context of 2984	636	omsecor.exe	87
PID 4940 set thread context of 1976	4940	omsecor.exe	100
PID 4524 set thread context of 4012	4524	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1036	4004	WerFault.exe	81
5008	636	WerFault.exe	84
4656	4940	WerFault.exe	99
3036	4524	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 1236	4004	e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe	82
PID 4004 wrote to memory of 1236	4004	e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe	82
PID 4004 wrote to memory of 1236	4004	e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe	82
PID 4004 wrote to memory of 1236	4004	e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe	82
PID 4004 wrote to memory of 1236	4004	e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe	82
PID 1236 wrote to memory of 636	1236	e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe	84
PID 1236 wrote to memory of 636	1236	e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe	84
PID 1236 wrote to memory of 636	1236	e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe	84
PID 636 wrote to memory of 2984	636	omsecor.exe	87
PID 636 wrote to memory of 2984	636	omsecor.exe	87
PID 636 wrote to memory of 2984	636	omsecor.exe	87
PID 636 wrote to memory of 2984	636	omsecor.exe	87
PID 636 wrote to memory of 2984	636	omsecor.exe	87
PID 2984 wrote to memory of 4940	2984	omsecor.exe	99
PID 2984 wrote to memory of 4940	2984	omsecor.exe	99
PID 2984 wrote to memory of 4940	2984	omsecor.exe	99
PID 4940 wrote to memory of 1976	4940	omsecor.exe	100
PID 4940 wrote to memory of 1976	4940	omsecor.exe	100
PID 4940 wrote to memory of 1976	4940	omsecor.exe	100
PID 4940 wrote to memory of 1976	4940	omsecor.exe	100
PID 4940 wrote to memory of 1976	4940	omsecor.exe	100
PID 1976 wrote to memory of 4524	1976	omsecor.exe	102
PID 1976 wrote to memory of 4524	1976	omsecor.exe	102
PID 1976 wrote to memory of 4524	1976	omsecor.exe	102
PID 4524 wrote to memory of 4012	4524	omsecor.exe	103
PID 4524 wrote to memory of 4012	4524	omsecor.exe	103
PID 4524 wrote to memory of 4012	4524	omsecor.exe	103
PID 4524 wrote to memory of 4012	4524	omsecor.exe	103
PID 4524 wrote to memory of 4012	4524	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe
"C:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe
  C:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 268
        8⤵
        Program crash
        
        PID:3036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 292
        6⤵
        Program crash
        
        PID:4656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 288
      4⤵
      Program crash
      PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 288
  2⤵
  - Program crash
  PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4004 -ip 4004
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 636 -ip 636
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4940 -ip 4940
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4524 -ip 4524
1⤵
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
07c52e48a617607a3be1066f011453e2

SHA1
abe72fc33ce382a83dae9cb8058340f16b95e49b

SHA256
b678fd82a093da2f020ac357f402c7658daaafd2f4be99ebd8b6cd60b9821ebb

SHA512
ccb18411f07e22b388a210c00830f2e47947c7a54dff36c6cb1a41d7e7b0dbc2f6e48f23c49e921e32c3b0a2dc0eaf6e66a538287aa3cc720ff262625031b499

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
18668d61121192e11537698f2eb97846

SHA1
d01fe865e9d8fe97739a63286ddd4616fad422b0

SHA256
8963b2320e25b958b27a0887bd29fe287339eb4e3423d842705b883fcb70a2bc

SHA512
56c6f7938e0aa2200009ed08b0377e4d08a157a2af045c29512222cd45b663ffc5392c03b2b0561d9bbf96a9a88f8dab87837f8b5dfd8afdd494450b9f785861

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
11123f9912a1c7e790237aa72ccc631f

SHA1
47a373795e9c7af0dbe293af2a01f07c2156d79b

SHA256
f6f09238dfd44715f12c988fb34f7edffa3e4508905a6d96885535fe3836c600

SHA512
5ed75df9a8abe5929a6fe70a7fd25fe0f89aebb3c5a1c3464b895b41ab1553d9c04f3ace4cf9a0d5e20f25fd25290239464b5ce8c3c1aafae636af4f53e9d984

Download Submit
memory/636-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/636-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1236-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4004-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4004-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4012-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4012-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4012-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4012-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4524-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4940-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download