neconyd | 4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754

Analysis

max time kernel
115s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe
Size

96KB
MD5

c3c9082ca4d6f729c7cb85020d976e80
SHA1

36850f28b3bf166fcf19d73dcedcfcfff0905f2b
SHA256

4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754
SHA512

76adb5e809b78b5e027b0bc25e0cb3604d7872d0664b76ec61c93118ec5f43141a708eb7fd9b20272abe3dedbb35f71e55046c5b344377afd9121b41f3bf790d
SSDEEP

1536:snAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:sGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
728	omsecor.exe
3948	omsecor.exe
2248	omsecor.exe
4344	omsecor.exe
3956	omsecor.exe
4332	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 940	2016	4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe	83
PID 728 set thread context of 3948	728	omsecor.exe	88
PID 2248 set thread context of 4344	2248	omsecor.exe	109
PID 3956 set thread context of 4332	3956	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4480	2016	WerFault.exe	82
4684	728	WerFault.exe	85
2500	2248	WerFault.exe	108
4748	3956	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 940	2016	4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe	83
PID 2016 wrote to memory of 940	2016	4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe	83
PID 2016 wrote to memory of 940	2016	4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe	83
PID 2016 wrote to memory of 940	2016	4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe	83
PID 2016 wrote to memory of 940	2016	4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe	83
PID 940 wrote to memory of 728	940	4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe	85
PID 940 wrote to memory of 728	940	4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe	85
PID 940 wrote to memory of 728	940	4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe	85
PID 728 wrote to memory of 3948	728	omsecor.exe	88
PID 728 wrote to memory of 3948	728	omsecor.exe	88
PID 728 wrote to memory of 3948	728	omsecor.exe	88
PID 728 wrote to memory of 3948	728	omsecor.exe	88
PID 728 wrote to memory of 3948	728	omsecor.exe	88
PID 3948 wrote to memory of 2248	3948	omsecor.exe	108
PID 3948 wrote to memory of 2248	3948	omsecor.exe	108
PID 3948 wrote to memory of 2248	3948	omsecor.exe	108
PID 2248 wrote to memory of 4344	2248	omsecor.exe	109
PID 2248 wrote to memory of 4344	2248	omsecor.exe	109
PID 2248 wrote to memory of 4344	2248	omsecor.exe	109
PID 2248 wrote to memory of 4344	2248	omsecor.exe	109
PID 2248 wrote to memory of 4344	2248	omsecor.exe	109
PID 4344 wrote to memory of 3956	4344	omsecor.exe	111
PID 4344 wrote to memory of 3956	4344	omsecor.exe	111
PID 4344 wrote to memory of 3956	4344	omsecor.exe	111
PID 3956 wrote to memory of 4332	3956	omsecor.exe	112
PID 3956 wrote to memory of 4332	3956	omsecor.exe	112
PID 3956 wrote to memory of 4332	3956	omsecor.exe	112
PID 3956 wrote to memory of 4332	3956	omsecor.exe	112
PID 3956 wrote to memory of 4332	3956	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe
"C:\Users\Admin\AppData\Local\Temp\4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe
  C:\Users\Admin\AppData\Local\Temp\4d9263337fbba1e57004b48e7650ad5c29106ca9b87b92ebc262f5bf6d9dc754N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3948
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 268
        8⤵
        Program crash
        
        PID:4748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 292
        6⤵
        Program crash
        
        PID:2500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 300
      4⤵
      Program crash
      PID:4684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 300
  2⤵
  - Program crash
  PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2016 -ip 2016
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 728 -ip 728
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2248 -ip 2248
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3956 -ip 3956
1⤵
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c156cde1d5aa33b10af50b1a349e934d

SHA1
52ce8aa689ea9d63132f91fbe41f230f09fa2d1a

SHA256
a47e341c1e41d92f3d031e818dfc1b26727d7585f49e7a11e0d7d50f5bd36019

SHA512
08d369ada07737dfcc8e5d073bfc6dd817645833daf7143c14e3237190b41fac2ab2f9214337caa5c16dc0c93b3957ece2e7f54afbfb91ceef61ff0f3e9ba895

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
064a6a7912924367409b201f465c9254

SHA1
286d4e6649476dcd55ebf9c01d668bf34c513ead

SHA256
4f30c3a0012ea227c95f296d1246de3c0ffd87bba4df3c7c7bc4023c8820a68e

SHA512
1d6650fdc94c418d67b4cf9759b26a72cb53b7ca66d9b9af5f396adcb7ebda8e62ab12135051c142f3a20a49f3ac75661d43ccf505b0b136bb3950b70d97f697

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
3c7c98a0c70e1f81c271fc86a6760624

SHA1
80298465ba823a73ab6362eff42936f88c3f7985

SHA256
3e10727ce3ca24b259321dd2cb0e3653e3df13b2a1bc9bfe93118a246e037bf6

SHA512
d5ac3f1620132b3eb26c0b6371d84a2f61ccfbb94f610fa248c15fbeadb3bbe8bbdb794ea6042b4e4828f1f15f04d2067eef63bc043074e5c495667d62440986

Download Submit
memory/728-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/940-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/940-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/940-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/940-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2016-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2248-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2248-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3948-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3956-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4332-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4344-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4344-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4344-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download