neconyd | 2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923

Analysis

max time kernel
116s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
Size

96KB
MD5

d32121b969165044095b640f838947d2
SHA1

52aeab88ac91baff20f05e1c95af834e6e9cd759
SHA256

2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923
SHA512

919e74d5598a2ea958fd97d4f4d28105f744cd4df7c19d4740b58830eb05313785629c5845249c1884bd41c89af19834fb84bb1dfeb2a615b351f7fb2cafa986
SSDEEP

1536:mnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:mGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1012	omsecor.exe
4512	omsecor.exe
1916	omsecor.exe
2924	omsecor.exe
3960	omsecor.exe
3912	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4368 set thread context of 5056	4368	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	84
PID 1012 set thread context of 4512	1012	omsecor.exe	89
PID 1916 set thread context of 2924	1916	omsecor.exe	110
PID 3960 set thread context of 3912	3960	omsecor.exe	114

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3976	4368	WerFault.exe	83
2064	1012	WerFault.exe	86
2256	1916	WerFault.exe	109
4384	3960	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 5056	4368	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	84
PID 4368 wrote to memory of 5056	4368	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	84
PID 4368 wrote to memory of 5056	4368	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	84
PID 4368 wrote to memory of 5056	4368	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	84
PID 4368 wrote to memory of 5056	4368	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	84
PID 5056 wrote to memory of 1012	5056	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	86
PID 5056 wrote to memory of 1012	5056	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	86
PID 5056 wrote to memory of 1012	5056	2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe	86
PID 1012 wrote to memory of 4512	1012	omsecor.exe	89
PID 1012 wrote to memory of 4512	1012	omsecor.exe	89
PID 1012 wrote to memory of 4512	1012	omsecor.exe	89
PID 1012 wrote to memory of 4512	1012	omsecor.exe	89
PID 1012 wrote to memory of 4512	1012	omsecor.exe	89
PID 4512 wrote to memory of 1916	4512	omsecor.exe	109
PID 4512 wrote to memory of 1916	4512	omsecor.exe	109
PID 4512 wrote to memory of 1916	4512	omsecor.exe	109
PID 1916 wrote to memory of 2924	1916	omsecor.exe	110
PID 1916 wrote to memory of 2924	1916	omsecor.exe	110
PID 1916 wrote to memory of 2924	1916	omsecor.exe	110
PID 1916 wrote to memory of 2924	1916	omsecor.exe	110
PID 1916 wrote to memory of 2924	1916	omsecor.exe	110
PID 2924 wrote to memory of 3960	2924	omsecor.exe	112
PID 2924 wrote to memory of 3960	2924	omsecor.exe	112
PID 2924 wrote to memory of 3960	2924	omsecor.exe	112
PID 3960 wrote to memory of 3912	3960	omsecor.exe	114
PID 3960 wrote to memory of 3912	3960	omsecor.exe	114
PID 3960 wrote to memory of 3912	3960	omsecor.exe	114
PID 3960 wrote to memory of 3912	3960	omsecor.exe	114
PID 3960 wrote to memory of 3912	3960	omsecor.exe	114

C:\Users\Admin\AppData\Local\Temp\2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
"C:\Users\Admin\AppData\Local\Temp\2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
  C:\Users\Admin\AppData\Local\Temp\2c87cacb38051fd4f9cc440f0b67fee91830cf3247b5bf9eb2fe9d0d618ca923.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 256
        8⤵
        Program crash
        
        PID:4384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 292
        6⤵
        Program crash
        
        PID:2256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 300
      4⤵
      Program crash
      PID:2064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 288
  2⤵
  - Program crash
  PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4368 -ip 4368
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1012 -ip 1012
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1916 -ip 1916
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3960 -ip 3960
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3875d7a3564a84c7e140e32b85c66a45

SHA1
12cdde3ced9073475f14ebfb7895a117dc234724

SHA256
bcf6c445388a01aa840bf78229e33d473a97645477e8eee112e71d369b5e59a7

SHA512
e2ad613e077ded0f132673f2b83688ac476d4c9a1e242332ab2370863cd4f264e827a2eee03562460f95693e3943198f4ece1ed39a07944189acd58f556b805c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
97ac1e6fc0ce16c0b5c3ca68f6601da5

SHA1
40b2c0d2e78bc5504f5d67c06061bb2e7fbcd08d

SHA256
1db06e47cb44c9a8d2d658a8a9edff46f1e2521ca6c4737789bf8b492f20b16a

SHA512
4ac7d1beb6d60c366b5e13dddc6593db128301fe3376018fcf31db496e2011336d2265ee8d568c4224e79d9a7bff15980f807b36fda9d0e2a5f88048aad96b16

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
49835321ab18bbf7e9c11faf8d1d5e45

SHA1
a58498e6a4bdbec40e1f334808a6fb352af2664a

SHA256
f67fc41302ffd61233b49e5e1c668104e5e31d353122fdf90da51a1490e4d1c6

SHA512
a2298789963fe67afe7d854707e5f195a008699f50219db840d0a0e3a5df8162ac6a80f1e4a471bba120c77c97225177206652ae2ec3168bc7019230ac496e8a

Download Submit
memory/1012-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1012-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1916-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1916-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2924-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2924-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3912-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3912-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3912-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3960-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3960-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4368-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4368-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4512-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5056-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5056-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5056-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5056-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download