neconyd | c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe
Size

96KB
MD5

f48861c25b79ec043939e02f8d9728eb
SHA1

c58d1c5d7431c3eeffcbb361a4c5e8c81b902b96
SHA256

c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc
SHA512

70306477fc9e129f369c95addcc74e0fd835107e2e07d486970d93c3d6ad88ae74d239f45696a817d2e51759433539363fb254518eb6282781392933f25391ad
SSDEEP

1536:VnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:VGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3640	omsecor.exe
4548	omsecor.exe
4028	omsecor.exe
632	omsecor.exe
3720	omsecor.exe
4468	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3280 set thread context of 4560	3280	c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe	82
PID 3640 set thread context of 4548	3640	omsecor.exe	87
PID 4028 set thread context of 632	4028	omsecor.exe	100
PID 3720 set thread context of 4468	3720	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3492	3280	WerFault.exe	81
4408	3640	WerFault.exe	84
1152	4028	WerFault.exe	99
3448	3720	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 4560	3280	c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe	82
PID 3280 wrote to memory of 4560	3280	c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe	82
PID 3280 wrote to memory of 4560	3280	c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe	82
PID 3280 wrote to memory of 4560	3280	c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe	82
PID 3280 wrote to memory of 4560	3280	c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe	82
PID 4560 wrote to memory of 3640	4560	c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe	84
PID 4560 wrote to memory of 3640	4560	c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe	84
PID 4560 wrote to memory of 3640	4560	c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe	84
PID 3640 wrote to memory of 4548	3640	omsecor.exe	87
PID 3640 wrote to memory of 4548	3640	omsecor.exe	87
PID 3640 wrote to memory of 4548	3640	omsecor.exe	87
PID 3640 wrote to memory of 4548	3640	omsecor.exe	87
PID 3640 wrote to memory of 4548	3640	omsecor.exe	87
PID 4548 wrote to memory of 4028	4548	omsecor.exe	99
PID 4548 wrote to memory of 4028	4548	omsecor.exe	99
PID 4548 wrote to memory of 4028	4548	omsecor.exe	99
PID 4028 wrote to memory of 632	4028	omsecor.exe	100
PID 4028 wrote to memory of 632	4028	omsecor.exe	100
PID 4028 wrote to memory of 632	4028	omsecor.exe	100
PID 4028 wrote to memory of 632	4028	omsecor.exe	100
PID 4028 wrote to memory of 632	4028	omsecor.exe	100
PID 632 wrote to memory of 3720	632	omsecor.exe	102
PID 632 wrote to memory of 3720	632	omsecor.exe	102
PID 632 wrote to memory of 3720	632	omsecor.exe	102
PID 3720 wrote to memory of 4468	3720	omsecor.exe	104
PID 3720 wrote to memory of 4468	3720	omsecor.exe	104
PID 3720 wrote to memory of 4468	3720	omsecor.exe	104
PID 3720 wrote to memory of 4468	3720	omsecor.exe	104
PID 3720 wrote to memory of 4468	3720	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe
"C:\Users\Admin\AppData\Local\Temp\c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Local\Temp\c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe
  C:\Users\Admin\AppData\Local\Temp\c4d858433c59f758a00826c19c0d95e5ba201d66b4faab2eaccf5115380c2dbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 252
        8⤵
        Program crash
        
        PID:3448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 292
        6⤵
        Program crash
        
        PID:1152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 292
      4⤵
      Program crash
      PID:4408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 288
  2⤵
  - Program crash
  PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3280 -ip 3280
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3640 -ip 3640
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4028 -ip 4028
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3720 -ip 3720
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5cc16981a15ee2c9af743786c0b9cee0

SHA1
6309717e7225f81ad90007f5d10a9e47521e180d

SHA256
1f9500ecdace3ba24e29a039d00bc427b1198ee62dfcd592324f1a9f4dc5c669

SHA512
27610db5e1481216b0d27ba004c3d140a464a6dfcebdf328179af97999efc35e42d64b4999b9e5ab5eeb991b4cfa714f61ea11e6148510c17ecf9d7b881b8466

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1a74c5b69af6e5492cb97af64ebcac38

SHA1
80c358e66668ebb35c60ffff3ca3fcfb651d0d14

SHA256
6ef4750a2a146676db28a7955ecdcf0f6e7d9de73bb660c32f2549d521255572

SHA512
23140995bed48ad45300c349bd74939dea28e36ec11552be3158f92fed59a781c37e2f2fac2c6e6a1c1d58d46d9cd28da5072a8e226143bdc096368bc4e00871

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f388e2acda9724de1fb4b3bc82841fee

SHA1
99c712a629cac1968abbd22800f98af6b565a4a8

SHA256
7c42bd97505bc1dce071ca4ed0a3e2e862d6d4ac128f2e4ea53a1116657bd9af

SHA512
fe7259a524444ed599e59376f922a63f5778e491ecf35a07920571de0b394f8d52c101e902e5fe17d6df2e97eac60d3818494707abd8adda05cd13ac0c01b388

Download Submit
memory/632-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/632-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/632-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3280-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3280-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3640-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3640-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3720-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3720-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4028-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4028-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4468-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download