neconyd | aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
Size

96KB
MD5

c3ba66124b5c044d8490874363f44c85
SHA1

c218c4b47009ed83a0c97278229f734fd36d73f8
SHA256

aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480
SHA512

701e42fa4d529790c8585d0d97430b9bf6a82f2dccb2725105d44824fb7ed536378dfce643131838e72d719e5aa569f143a6ef5053e1296e8738bf1abc2f31c6
SSDEEP

1536:lnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxZ:lGs8cd8eXlYairZYqMddH13Z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2128	omsecor.exe
3784	omsecor.exe
2480	omsecor.exe
1840	omsecor.exe
2544	omsecor.exe
2224	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 3008	560	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	84
PID 2128 set thread context of 3784	2128	omsecor.exe	88
PID 2480 set thread context of 1840	2480	omsecor.exe	102
PID 2544 set thread context of 2224	2544	omsecor.exe	106

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2208	560	WerFault.exe	83
2896	2128	WerFault.exe	86
4488	2480	WerFault.exe	101
3656	2544	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 3008	560	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	84
PID 560 wrote to memory of 3008	560	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	84
PID 560 wrote to memory of 3008	560	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	84
PID 560 wrote to memory of 3008	560	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	84
PID 560 wrote to memory of 3008	560	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	84
PID 3008 wrote to memory of 2128	3008	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	86
PID 3008 wrote to memory of 2128	3008	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	86
PID 3008 wrote to memory of 2128	3008	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	86
PID 2128 wrote to memory of 3784	2128	omsecor.exe	88
PID 2128 wrote to memory of 3784	2128	omsecor.exe	88
PID 2128 wrote to memory of 3784	2128	omsecor.exe	88
PID 2128 wrote to memory of 3784	2128	omsecor.exe	88
PID 2128 wrote to memory of 3784	2128	omsecor.exe	88
PID 3784 wrote to memory of 2480	3784	omsecor.exe	101
PID 3784 wrote to memory of 2480	3784	omsecor.exe	101
PID 3784 wrote to memory of 2480	3784	omsecor.exe	101
PID 2480 wrote to memory of 1840	2480	omsecor.exe	102
PID 2480 wrote to memory of 1840	2480	omsecor.exe	102
PID 2480 wrote to memory of 1840	2480	omsecor.exe	102
PID 2480 wrote to memory of 1840	2480	omsecor.exe	102
PID 2480 wrote to memory of 1840	2480	omsecor.exe	102
PID 1840 wrote to memory of 2544	1840	omsecor.exe	104
PID 1840 wrote to memory of 2544	1840	omsecor.exe	104
PID 1840 wrote to memory of 2544	1840	omsecor.exe	104
PID 2544 wrote to memory of 2224	2544	omsecor.exe	106
PID 2544 wrote to memory of 2224	2544	omsecor.exe	106
PID 2544 wrote to memory of 2224	2544	omsecor.exe	106
PID 2544 wrote to memory of 2224	2544	omsecor.exe	106
PID 2544 wrote to memory of 2224	2544	omsecor.exe	106

C:\Users\Admin\AppData\Local\Temp\aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
"C:\Users\Admin\AppData\Local\Temp\aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Local\Temp\aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
  C:\Users\Admin\AppData\Local\Temp\aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3784
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 244
        8⤵
        Program crash
        
        PID:3656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 292
        6⤵
        Program crash
        
        PID:4488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 288
      4⤵
      Program crash
      PID:2896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 288
  2⤵
  - Program crash
  PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 560 -ip 560
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2128 -ip 2128
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2480 -ip 2480
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2544 -ip 2544
1⤵
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f2369becf6e90464421ed7e0a50c668c

SHA1
d9932a62c830985252e186c6d1d4f9f1a7fe6711

SHA256
139cde5e3a99ac935fa10b803aa6b3cfec04f863b02483d8436a934cb209ab77

SHA512
e53d9833f6289c59d40120fd067643d31e0ce26f8dee6f65bedc451ba34770cb4aa92f79cc8ef8aa0267a9e19b92c4fef8f583ee6716526201667eb02f7ccd8a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0301705ee6f6e4f555c232bd1cf7135d

SHA1
ad79d01bc50eb1ce7a3ee18a14e0f2b0ee974bae

SHA256
90579ff960ceaeaa56356659abf95370adca4fc33087e0f5144a6ea98313f1a9

SHA512
0a269a44dd1a7af1349f4b82845cd5cbfb1958c05e3542570b751f8504d08da148c9a91710d823a1ba9683409ecdc2ed297c8c87ff543ec6d3fa07a5cdecae46

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
97b322aa1d9aff110d2cbdb03deb396a

SHA1
96143e391192c8b01f57c3f3242b7ac8ee2509cf

SHA256
bb7b1f79e5f1e791dbfbbd42d680390cc613d5ab276d7a5f18d2fc36abcf3f25

SHA512
48d35d98c4126e81850ca1c2e2986902a09bcab74cadc525c6b76e7801f385bcf56f0569dfaf202bd630ec17426682edf6c37cc6fab6e77bfb376f03f6116e69

Download Submit
memory/560-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/560-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1840-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1840-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1840-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2128-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2224-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2224-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2224-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2480-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2544-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2544-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3008-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3784-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3784-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3784-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3784-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3784-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3784-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3784-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download