neconyd | 215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
Size

96KB
MD5

44a4e8ddd0b8c71b3f53fd7d5dfb4548
SHA1

bffb2df54ec99b095237c3e85ab92b187c7a3701
SHA256

215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7
SHA512

e6cb2d37fe98c269281a25d6b6c65bddfb84dc06d396370824ed59a6a2a0af05e63c4cb0fa30b09b4e3a9d1b7b359ad70b3ea67cdae15fdf946652a07f489739
SSDEEP

1536:5nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx+:5Gs8cd8eXlYairZYqMddH13+

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
996	omsecor.exe
244	omsecor.exe
2072	omsecor.exe
3848	omsecor.exe
3916	omsecor.exe
4772	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 4696	2920	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	83
PID 996 set thread context of 244	996	omsecor.exe	88
PID 2072 set thread context of 3848	2072	omsecor.exe	108
PID 3916 set thread context of 4772	3916	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4496	2920	WerFault.exe	82
3412	996	WerFault.exe	86
5040	2072	WerFault.exe	107
4388	3916	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 4696	2920	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	83
PID 2920 wrote to memory of 4696	2920	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	83
PID 2920 wrote to memory of 4696	2920	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	83
PID 2920 wrote to memory of 4696	2920	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	83
PID 2920 wrote to memory of 4696	2920	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	83
PID 4696 wrote to memory of 996	4696	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	86
PID 4696 wrote to memory of 996	4696	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	86
PID 4696 wrote to memory of 996	4696	215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe	86
PID 996 wrote to memory of 244	996	omsecor.exe	88
PID 996 wrote to memory of 244	996	omsecor.exe	88
PID 996 wrote to memory of 244	996	omsecor.exe	88
PID 996 wrote to memory of 244	996	omsecor.exe	88
PID 996 wrote to memory of 244	996	omsecor.exe	88
PID 244 wrote to memory of 2072	244	omsecor.exe	107
PID 244 wrote to memory of 2072	244	omsecor.exe	107
PID 244 wrote to memory of 2072	244	omsecor.exe	107
PID 2072 wrote to memory of 3848	2072	omsecor.exe	108
PID 2072 wrote to memory of 3848	2072	omsecor.exe	108
PID 2072 wrote to memory of 3848	2072	omsecor.exe	108
PID 2072 wrote to memory of 3848	2072	omsecor.exe	108
PID 2072 wrote to memory of 3848	2072	omsecor.exe	108
PID 3848 wrote to memory of 3916	3848	omsecor.exe	110
PID 3848 wrote to memory of 3916	3848	omsecor.exe	110
PID 3848 wrote to memory of 3916	3848	omsecor.exe	110
PID 3916 wrote to memory of 4772	3916	omsecor.exe	112
PID 3916 wrote to memory of 4772	3916	omsecor.exe	112
PID 3916 wrote to memory of 4772	3916	omsecor.exe	112
PID 3916 wrote to memory of 4772	3916	omsecor.exe	112
PID 3916 wrote to memory of 4772	3916	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
"C:\Users\Admin\AppData\Local\Temp\215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
  C:\Users\Admin\AppData\Local\Temp\215e97f35409a7cf090cbb483d87ffc117c55bb7e43ae4ec49daea6c0b6e1df7.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:244
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 268
        8⤵
        Program crash
        
        PID:4388
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 292
        6⤵
        Program crash
        
        PID:5040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 300
      4⤵
      Program crash
      PID:3412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 288
  2⤵
  - Program crash
  PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2920 -ip 2920
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 996 -ip 996
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2072 -ip 2072
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3916 -ip 3916
1⤵
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3d3850720bddf8f7ceb67ebf65ab68ec

SHA1
9014ce11ac4b1735304751a83c87cd7d60398acd

SHA256
c0e73429471292d709508571e66fd9c5f9dfcc663f1485f65f71253a3d64e956

SHA512
7b2e01528fbfdf61aafbc01477129065b75f1fcc1cc1dd0e443a45ad7b1cc05fa4e9f167a4a433f95f9c0937200cebd54aaf11e2de8b183926d87f3ba1087234

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
33abb4d1bb2a31d21936e902fcf4b0d9

SHA1
3d37e9e6fa7f426ddac32232e81aa605cc12aad8

SHA256
d36c160c95727dc1f1b2d28cba14fe8a144d00405c5f501b1adf5422faf9a4fc

SHA512
ba5ec18f4cca7c28796ffc7667c616c1cdb24e70710ffca83c10864bdd524b160dc93c28bce24086e45338baaf793bdb8be87b4dfe84bd40acb121d44d13b55f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
8b773b5c414e693041e4e711cf75b65c

SHA1
55b74f429778ae19c39327390357de14ab63c410

SHA256
976cf2ee2d6a6c3e4e9e2bfb5a5a43b539739ba23d8f9b354b7006ba492a6f9d

SHA512
49fd57e4cf3ed7c2add1ec5c56bdafb10c326908493152c45163bb32e7dbd0092e7df2bd0cb249f2c941d80420f29a5f5484dcb1c319c76099084c60465af82b

Download Submit
memory/244-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/244-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/244-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/244-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/244-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/244-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/244-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/996-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/996-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2072-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2072-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2920-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2920-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3848-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3848-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3848-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3916-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3916-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4696-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4696-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4696-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4696-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4772-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4772-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4772-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download