neconyd | f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505

Analysis

max time kernel
116s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
Size

96KB
MD5

7fa334ca092185026c561dec6da7dad6
SHA1

0f7851a603baa80f6864b2e3f6ce99b2e6f0fff8
SHA256

f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505
SHA512

2f582f853952635d9a4a2a9376c000d538db2784a5de9712f12a68c25df9aaaf72e27d0e8457349b01a377b252bf9e576457549a5ca76a7257b8f0833f799472
SSDEEP

1536:enAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:eGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1556	omsecor.exe
4496	omsecor.exe
4708	omsecor.exe
5076	omsecor.exe
4148	omsecor.exe
2724	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3196 set thread context of 4564	3196	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	83
PID 1556 set thread context of 4496	1556	omsecor.exe	88
PID 4708 set thread context of 5076	4708	omsecor.exe	109
PID 4148 set thread context of 2724	4148	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3192	3196	WerFault.exe	82
872	1556	WerFault.exe	86
1732	4708	WerFault.exe	108
3944	4148	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 4564	3196	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	83
PID 3196 wrote to memory of 4564	3196	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	83
PID 3196 wrote to memory of 4564	3196	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	83
PID 3196 wrote to memory of 4564	3196	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	83
PID 3196 wrote to memory of 4564	3196	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	83
PID 4564 wrote to memory of 1556	4564	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	86
PID 4564 wrote to memory of 1556	4564	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	86
PID 4564 wrote to memory of 1556	4564	f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe	86
PID 1556 wrote to memory of 4496	1556	omsecor.exe	88
PID 1556 wrote to memory of 4496	1556	omsecor.exe	88
PID 1556 wrote to memory of 4496	1556	omsecor.exe	88
PID 1556 wrote to memory of 4496	1556	omsecor.exe	88
PID 1556 wrote to memory of 4496	1556	omsecor.exe	88
PID 4496 wrote to memory of 4708	4496	omsecor.exe	108
PID 4496 wrote to memory of 4708	4496	omsecor.exe	108
PID 4496 wrote to memory of 4708	4496	omsecor.exe	108
PID 4708 wrote to memory of 5076	4708	omsecor.exe	109
PID 4708 wrote to memory of 5076	4708	omsecor.exe	109
PID 4708 wrote to memory of 5076	4708	omsecor.exe	109
PID 4708 wrote to memory of 5076	4708	omsecor.exe	109
PID 4708 wrote to memory of 5076	4708	omsecor.exe	109
PID 5076 wrote to memory of 4148	5076	omsecor.exe	111
PID 5076 wrote to memory of 4148	5076	omsecor.exe	111
PID 5076 wrote to memory of 4148	5076	omsecor.exe	111
PID 4148 wrote to memory of 2724	4148	omsecor.exe	112
PID 4148 wrote to memory of 2724	4148	omsecor.exe	112
PID 4148 wrote to memory of 2724	4148	omsecor.exe	112
PID 4148 wrote to memory of 2724	4148	omsecor.exe	112
PID 4148 wrote to memory of 2724	4148	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
"C:\Users\Admin\AppData\Local\Temp\f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
  C:\Users\Admin\AppData\Local\Temp\f8cb182183b6d56a7405f94ba4ef71bf9625c7e439229b5d30b381fa97d88505.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4708
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 256
        8⤵
        Program crash
        
        PID:3944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 296
        6⤵
        Program crash
        
        PID:1732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 288
      4⤵
      Program crash
      PID:872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 288
  2⤵
  - Program crash
  PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3196 -ip 3196
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1556 -ip 1556
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4708 -ip 4708
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4148 -ip 4148
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
be2df0a17e2f2fcd03f947992ae8bc52

SHA1
43091820e97aeeef8418f14780730afc0e23b2b8

SHA256
82cc768d59d4a5272b95e119f8fa404c88c02568fba074095a1a37c1f64a6381

SHA512
1d2d71bd95e896910ebf37a4dced0a7d1e6981a2d8c4d7d5fc8ed36be5b144793a2d6bd7ebe9de6c6a42684ce3ae8fc7d19fbd4a758cb37df23d3ec33a314eeb

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
13c16dcfc64db649ace3fa15b63e300d

SHA1
177a7a5aca8e34d584ffa672ff36d257c22e0d63

SHA256
2df1b3119be5bc9f7c897e9b9c845381050fe162daf11660551447400c0149b9

SHA512
b0024d7615464ca48b6c500fb60120a3cc381840d4a9e3ba64fb78df25f9b6397a7b5dac94beaa2a0c6e9d67d277be32676168dfa1fc76c3c4ed6a0a34a93e33

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
535251aba2264e7de5b86d495e2a0d6d

SHA1
f917f77cf8cf90a5e29d3c909cd07537d092498f

SHA256
a54fc1e7b55c473cb2db6b60333154b79688a57b553d34d88e70bf58d1e22abc

SHA512
5eaaff51025f61d3f0e7b6d0d4df3477a870ebb2490739522040e80aab0ab614fc626d0635d1c5e7df6bda24f250eb2f582b0f9dbdb50516270d18200164353e

Download Submit
memory/1556-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1556-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2724-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3196-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3196-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4148-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4496-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4564-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4564-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4564-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4564-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4708-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4708-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5076-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5076-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5076-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download