neconyd | a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
Size

96KB
MD5

0b392359a652f185cb5d802d17b32e7a
SHA1

4ccf8207bd88f50b6e8ffb1e6d75c6be19b8776a
SHA256

a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c
SHA512

65ea75b38bbd8c50da1dda641fb13c83dea793ff5171d729fbf39850a761b24f0b9088bbac6fc0e7dfc83c60ddb514d3b521347371c5542e5936fb652b230391
SSDEEP

1536:snAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:sGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4016	omsecor.exe
3760	omsecor.exe
2572	omsecor.exe
4908	omsecor.exe
1672	omsecor.exe
548	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1124 set thread context of 2056	1124	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	82
PID 4016 set thread context of 3760	4016	omsecor.exe	87
PID 2572 set thread context of 4908	2572	omsecor.exe	100
PID 1672 set thread context of 548	1672	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4420	1124	WerFault.exe	81
1176	4016	WerFault.exe	85
2224	2572	WerFault.exe	99
4304	1672	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 2056	1124	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	82
PID 1124 wrote to memory of 2056	1124	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	82
PID 1124 wrote to memory of 2056	1124	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	82
PID 1124 wrote to memory of 2056	1124	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	82
PID 1124 wrote to memory of 2056	1124	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	82
PID 2056 wrote to memory of 4016	2056	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	85
PID 2056 wrote to memory of 4016	2056	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	85
PID 2056 wrote to memory of 4016	2056	a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe	85
PID 4016 wrote to memory of 3760	4016	omsecor.exe	87
PID 4016 wrote to memory of 3760	4016	omsecor.exe	87
PID 4016 wrote to memory of 3760	4016	omsecor.exe	87
PID 4016 wrote to memory of 3760	4016	omsecor.exe	87
PID 4016 wrote to memory of 3760	4016	omsecor.exe	87
PID 3760 wrote to memory of 2572	3760	omsecor.exe	99
PID 3760 wrote to memory of 2572	3760	omsecor.exe	99
PID 3760 wrote to memory of 2572	3760	omsecor.exe	99
PID 2572 wrote to memory of 4908	2572	omsecor.exe	100
PID 2572 wrote to memory of 4908	2572	omsecor.exe	100
PID 2572 wrote to memory of 4908	2572	omsecor.exe	100
PID 2572 wrote to memory of 4908	2572	omsecor.exe	100
PID 2572 wrote to memory of 4908	2572	omsecor.exe	100
PID 4908 wrote to memory of 1672	4908	omsecor.exe	102
PID 4908 wrote to memory of 1672	4908	omsecor.exe	102
PID 4908 wrote to memory of 1672	4908	omsecor.exe	102
PID 1672 wrote to memory of 548	1672	omsecor.exe	104
PID 1672 wrote to memory of 548	1672	omsecor.exe	104
PID 1672 wrote to memory of 548	1672	omsecor.exe	104
PID 1672 wrote to memory of 548	1672	omsecor.exe	104
PID 1672 wrote to memory of 548	1672	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
"C:\Users\Admin\AppData\Local\Temp\a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
  C:\Users\Admin\AppData\Local\Temp\a92d2b4027e0323bcebcc796716b231af77696dbea61eb09e234a3632ad7a97c.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3760
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 256
        8⤵
        Program crash
        
        PID:4304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 292
        6⤵
        Program crash
        
        PID:2224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 272
      4⤵
      Program crash
      PID:1176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 288
  2⤵
  - Program crash
  PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1124 -ip 1124
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4016 -ip 4016
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2572 -ip 2572
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1672 -ip 1672
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
870ce719dbeb9855192f26904bc0af43

SHA1
b15a3b901bdd47184fed1f846eee69f6280a1611

SHA256
7ac2f3ba8333c4e4650b89e146fbf031c85c079dd674c99b131052d3aaa0a283

SHA512
3ac5a5649b50d149f8f8c46ddb3e05b45d74c6788f6539847cdc7bba764e544e2d669c798e4805505cac75d855d0632b0d215131f82ccd6ae40b05957248caca

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e9e683900ee96f066e46cfaa5d508275

SHA1
96ad9dc12b1983a0f7dc34db88e48f4ca3a5fe29

SHA256
89ba4184363a03e939f88438801f6e8edeee8a864c48a0fb512132f935389cc3

SHA512
df6cade8f6bf7d4edb9d25f2893f99e59ad9c7ba36c7f9966f314577e4a3b9ea2d61b8062fbb2b7383f533263c976922ceb8d7fbea76d66c0a75a5bfd8ada9dc

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e8aa6c19e9eac07d8801dd27fdb443a8

SHA1
90a3abb5abd8bfdccd4cde2d1b473975cfb7db30

SHA256
ef8f4d9ecbcbc3ab458265f940131aa52de06286b40320b95bac34917b065059

SHA512
1e26532d532a2e9f59ef93e5d801b1b1267490c46e5ffa1cffa2e2df3dae09856d686dbc225470f42635d3ac347d258a2d715fc4c9972ca9214aba4e36395c23

Download Submit
memory/548-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/548-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/548-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/548-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1124-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1124-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2056-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2056-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2056-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2056-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2572-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2572-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3760-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3760-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3760-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3760-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3760-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3760-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3760-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4016-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4016-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4908-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4908-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4908-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download