neconyd | a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
Size

96KB
MD5

c709c8f097c6705265411c7a8b92f632
SHA1

57b68849fd4871d5779dcca7c5cea0e34d69c14b
SHA256

a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece
SHA512

ca334b1714464066cd7cb3e956aeeed5d76d84cd3f86e54dc6307ee6f45f44dd636fef673f643e0489cfa13d49df6a4678df016401ff000eae93f6eda80aee6b
SSDEEP

1536:pnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:pGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1180	omsecor.exe
4832	omsecor.exe
4164	omsecor.exe
4912	omsecor.exe
2944	omsecor.exe
4384	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 3364	3056	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	83
PID 1180 set thread context of 4832	1180	omsecor.exe	87
PID 4164 set thread context of 4912	4164	omsecor.exe	108
PID 2944 set thread context of 4384	2944	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2804	3056	WerFault.exe	82
1748	1180	WerFault.exe	86
4960	4164	WerFault.exe	107
4864	2944	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3364	3056	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	83
PID 3056 wrote to memory of 3364	3056	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	83
PID 3056 wrote to memory of 3364	3056	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	83
PID 3056 wrote to memory of 3364	3056	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	83
PID 3056 wrote to memory of 3364	3056	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	83
PID 3364 wrote to memory of 1180	3364	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	86
PID 3364 wrote to memory of 1180	3364	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	86
PID 3364 wrote to memory of 1180	3364	a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe	86
PID 1180 wrote to memory of 4832	1180	omsecor.exe	87
PID 1180 wrote to memory of 4832	1180	omsecor.exe	87
PID 1180 wrote to memory of 4832	1180	omsecor.exe	87
PID 1180 wrote to memory of 4832	1180	omsecor.exe	87
PID 1180 wrote to memory of 4832	1180	omsecor.exe	87
PID 4832 wrote to memory of 4164	4832	omsecor.exe	107
PID 4832 wrote to memory of 4164	4832	omsecor.exe	107
PID 4832 wrote to memory of 4164	4832	omsecor.exe	107
PID 4164 wrote to memory of 4912	4164	omsecor.exe	108
PID 4164 wrote to memory of 4912	4164	omsecor.exe	108
PID 4164 wrote to memory of 4912	4164	omsecor.exe	108
PID 4164 wrote to memory of 4912	4164	omsecor.exe	108
PID 4164 wrote to memory of 4912	4164	omsecor.exe	108
PID 4912 wrote to memory of 2944	4912	omsecor.exe	110
PID 4912 wrote to memory of 2944	4912	omsecor.exe	110
PID 4912 wrote to memory of 2944	4912	omsecor.exe	110
PID 2944 wrote to memory of 4384	2944	omsecor.exe	111
PID 2944 wrote to memory of 4384	2944	omsecor.exe	111
PID 2944 wrote to memory of 4384	2944	omsecor.exe	111
PID 2944 wrote to memory of 4384	2944	omsecor.exe	111
PID 2944 wrote to memory of 4384	2944	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
"C:\Users\Admin\AppData\Local\Temp\a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
  C:\Users\Admin\AppData\Local\Temp\a525347c7c8019774a328fd8dc8ea209c351a4dce07a94771e7c67212fae8ece.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4164
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 268
        8⤵
        Program crash
        
        PID:4864
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 304
        6⤵
        Program crash
        
        PID:4960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 288
      4⤵
      Program crash
      PID:1748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 288
  2⤵
  - Program crash
  PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3056 -ip 3056
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1180 -ip 1180
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4164 -ip 4164
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2944 -ip 2944
1⤵
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
04ea1d9cd900cc6d4eeff9dd76c532dc

SHA1
5a2ed33365d4aa404d2d38fabe30ed475fd2bc9c

SHA256
ee6197c65e2824b1d92cfcbf28328779abc0c19d7ce9020a61743c298ee4b5f4

SHA512
f929cd8f83e5b0a0cc722de573b1508f420f6165ddfe0407e4e35cd3ae97f2d52f7c04f3d79f48c891ac6a7b78eb9df313e9b9bb03c85c45b9589afa525e99b8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
49a30a6dc3b7aadd95ee9246e463ffea

SHA1
26f1aa0530a93266d52fc0122bbe58f328197b71

SHA256
78b35f4cb2633f125332ad0dc3afb3b8c145a7234d7731b20fd894645ccc478c

SHA512
05974872823bb57cbf64cd2f5faab605e14383fab0c38f8d3c6de10835c07de201a9eee3d8f4d0808443fc4e372bb5faaa772953771b83501634e9c30f28ebc8

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d626d566b18e6af982e7bd153c25ae6d

SHA1
b5acb8f304531327d49f256af9ff83337f5bcd18

SHA256
93578ae5e22dce2573a5e0f4ea2bc42619d09f6ee6e6cf2eae1d7728a9857ce0

SHA512
7a6e62e22c5bf09dc0a5073dd1967163261d8eb0a63453fddf56f1c9ab68c4b4802fcee5cb53179a066e6cb2d6c5bf96b3dbdd3c91ee91338eeefa0766f56fce

Download Submit
memory/1180-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1180-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2944-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3056-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3056-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3364-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3364-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3364-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3364-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4164-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4164-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4384-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4384-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4384-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4832-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4832-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4832-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4832-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4832-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4832-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4832-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4912-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4912-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4912-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download