neconyd | 0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
Size

96KB
MD5

c5061cb02f8a9fcac28699f7c5af3940
SHA1

b6a76e05979acb92f7c77e81104666f8b98ea78e
SHA256

0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839
SHA512

e00b41cb1ad5a2bfcf87af437d78ceb8258b4ab327a7ce44b868f5c791b88ed11af1e17bb8357a8a1c6110c5eba345376065a7945388f7a19800bfe297d40ce6
SSDEEP

1536:/nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:/Gs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1272	omsecor.exe
4512	omsecor.exe
2968	omsecor.exe
820	omsecor.exe
2996	omsecor.exe
2964	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1840 set thread context of 1372	1840	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	83
PID 1272 set thread context of 4512	1272	omsecor.exe	87
PID 2968 set thread context of 820	2968	omsecor.exe	111
PID 2996 set thread context of 2964	2996	omsecor.exe	115

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2932	1840	WerFault.exe	82
5088	1272	WerFault.exe	86
1388	2968	WerFault.exe	110
4972	2996	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1372	1840	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	83
PID 1840 wrote to memory of 1372	1840	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	83
PID 1840 wrote to memory of 1372	1840	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	83
PID 1840 wrote to memory of 1372	1840	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	83
PID 1840 wrote to memory of 1372	1840	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	83
PID 1372 wrote to memory of 1272	1372	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	86
PID 1372 wrote to memory of 1272	1372	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	86
PID 1372 wrote to memory of 1272	1372	0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe	86
PID 1272 wrote to memory of 4512	1272	omsecor.exe	87
PID 1272 wrote to memory of 4512	1272	omsecor.exe	87
PID 1272 wrote to memory of 4512	1272	omsecor.exe	87
PID 1272 wrote to memory of 4512	1272	omsecor.exe	87
PID 1272 wrote to memory of 4512	1272	omsecor.exe	87
PID 4512 wrote to memory of 2968	4512	omsecor.exe	110
PID 4512 wrote to memory of 2968	4512	omsecor.exe	110
PID 4512 wrote to memory of 2968	4512	omsecor.exe	110
PID 2968 wrote to memory of 820	2968	omsecor.exe	111
PID 2968 wrote to memory of 820	2968	omsecor.exe	111
PID 2968 wrote to memory of 820	2968	omsecor.exe	111
PID 2968 wrote to memory of 820	2968	omsecor.exe	111
PID 2968 wrote to memory of 820	2968	omsecor.exe	111
PID 820 wrote to memory of 2996	820	omsecor.exe	113
PID 820 wrote to memory of 2996	820	omsecor.exe	113
PID 820 wrote to memory of 2996	820	omsecor.exe	113
PID 2996 wrote to memory of 2964	2996	omsecor.exe	115
PID 2996 wrote to memory of 2964	2996	omsecor.exe	115
PID 2996 wrote to memory of 2964	2996	omsecor.exe	115
PID 2996 wrote to memory of 2964	2996	omsecor.exe	115
PID 2996 wrote to memory of 2964	2996	omsecor.exe	115

C:\Users\Admin\AppData\Local\Temp\0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
"C:\Users\Admin\AppData\Local\Temp\0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
  C:\Users\Admin\AppData\Local\Temp\0d18ad9c113116ec1983be25cc5847505f4be932013364012fbc834cb70fd839N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 256
        8⤵
        Program crash
        
        PID:4972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 292
        6⤵
        Program crash
        
        PID:1388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 288
      4⤵
      Program crash
      PID:5088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 288
  2⤵
  - Program crash
  PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1840 -ip 1840
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1272 -ip 1272
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2968 -ip 2968
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2996 -ip 2996
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
48b37ca367fde5c76554b74c110eaa27

SHA1
6e81301b361856cd301b02242c3d4af808507ec3

SHA256
71be9af2a054b8006ddf52fd38cafdd88e611b881f986811433089c20c028dc8

SHA512
cf415b36b92f71177bce4dd2310a19755e5278a6f7f838f733f3fe4f3a0e522795c0182c0681b41a2ff64938296833d1b0c8333a6f22502647a27a5e652abfeb

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1f6d1164d853e2b7d8105b844d3e7147

SHA1
33b7026ef4b95d5da015b48372c3b3480a53cea6

SHA256
1fe18aed95ed84c82052e4c62a7cf33e0c6904f8cfdafa833132d7069b6e81ee

SHA512
290f35b2422df3149eaba09d2baac57808b04704478d6213fb32d3f76c9a6f787b5a68a5ee439a96fdb495cee0499650276b02e8e650267cccafb0c192a247a9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d2de74120d41d0d77b452178a5dfe0af

SHA1
b69b3a870296f94452243fb21df394e5950e4fd0

SHA256
87c6258d5cff865bc2458120cdcfc1dd5df98e59460c2e699764afcba354e46d

SHA512
1462e25e2ed08698e62099bc6041cf04e5e46ca7d8cfb650e1af0a52da0b3249a40f4af703dd4ab2618fa20d6a745a7ae1e2769f52acca20c1047d44cb7c8eb0

Download Submit
memory/820-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/820-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/820-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1272-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1272-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1372-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1372-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1372-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1372-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1840-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1840-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2964-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2964-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2964-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2968-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2996-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4512-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download