neconyd | a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
Size

96KB
MD5

543e807cf6b3c90d883cb53a56978b4e
SHA1

e2db51773c28bb6130f7959cfeedbcb6bfb31457
SHA256

a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6
SHA512

d50e1c7aee2a76de5feaa1e3e0914e63fce05a9c4bc1b48375d9fd92c692cebd7549f8ce8c8f96be8ddcc6dd0c8036f99e791d2c876e85740481da7de2136b9c
SSDEEP

1536:ynAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:yGs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1964	omsecor.exe
3644	omsecor.exe
4268	omsecor.exe
1280	omsecor.exe
4696	omsecor.exe
1248	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4944 set thread context of 3916	4944	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	83
PID 1964 set thread context of 3644	1964	omsecor.exe	87
PID 4268 set thread context of 1280	4268	omsecor.exe	108
PID 4696 set thread context of 1248	4696	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3440	4944	WerFault.exe	82
3672	1964	WerFault.exe	86
3924	4268	WerFault.exe	107
1656	4696	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3916	4944	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	83
PID 4944 wrote to memory of 3916	4944	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	83
PID 4944 wrote to memory of 3916	4944	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	83
PID 4944 wrote to memory of 3916	4944	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	83
PID 4944 wrote to memory of 3916	4944	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	83
PID 3916 wrote to memory of 1964	3916	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	86
PID 3916 wrote to memory of 1964	3916	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	86
PID 3916 wrote to memory of 1964	3916	a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe	86
PID 1964 wrote to memory of 3644	1964	omsecor.exe	87
PID 1964 wrote to memory of 3644	1964	omsecor.exe	87
PID 1964 wrote to memory of 3644	1964	omsecor.exe	87
PID 1964 wrote to memory of 3644	1964	omsecor.exe	87
PID 1964 wrote to memory of 3644	1964	omsecor.exe	87
PID 3644 wrote to memory of 4268	3644	omsecor.exe	107
PID 3644 wrote to memory of 4268	3644	omsecor.exe	107
PID 3644 wrote to memory of 4268	3644	omsecor.exe	107
PID 4268 wrote to memory of 1280	4268	omsecor.exe	108
PID 4268 wrote to memory of 1280	4268	omsecor.exe	108
PID 4268 wrote to memory of 1280	4268	omsecor.exe	108
PID 4268 wrote to memory of 1280	4268	omsecor.exe	108
PID 4268 wrote to memory of 1280	4268	omsecor.exe	108
PID 1280 wrote to memory of 4696	1280	omsecor.exe	110
PID 1280 wrote to memory of 4696	1280	omsecor.exe	110
PID 1280 wrote to memory of 4696	1280	omsecor.exe	110
PID 4696 wrote to memory of 1248	4696	omsecor.exe	112
PID 4696 wrote to memory of 1248	4696	omsecor.exe	112
PID 4696 wrote to memory of 1248	4696	omsecor.exe	112
PID 4696 wrote to memory of 1248	4696	omsecor.exe	112
PID 4696 wrote to memory of 1248	4696	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
"C:\Users\Admin\AppData\Local\Temp\a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
  C:\Users\Admin\AppData\Local\Temp\a2bc6ac66730d6ab6455170b5b49cfa8507f4283ae6da611b8f75910c11310d6.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 256
        8⤵
        Program crash
        
        PID:1656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 292
        6⤵
        Program crash
        
        PID:3924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 288
      4⤵
      Program crash
      PID:3672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 256
  2⤵
  - Program crash
  PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4944 -ip 4944
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1964 -ip 1964
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4268 -ip 4268
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4696 -ip 4696
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5c1c44aa62db5ac88a200bb18d92bcb2

SHA1
87a766daaa243149353d8bb59e6403ddd0c7d84b

SHA256
62cd81e08917295ac44f113259a136ef7842dbad51a101faca31b43f27f9baae

SHA512
88ccd388ff7b3a77d9d5a1978c84fcb39f3e5a0dbcca471c51da268b688820ec083e4b566e2f657881497fa1c9c3b68099f8e116acb414fcb411734ae5f7fa1f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9630506f4a936fd3a0712b911303c08d

SHA1
737dd8b6023788a03b589dd9cb9c8305a029b18a

SHA256
f213e3df6c2bd90f0a12c0074120b8e5e34cdfd896715ec54a41573c9475149e

SHA512
7cdeec0ecdd3c86a4411ed47af5078a08b403dbbffcccd3d50dde583d2ac836e22dc4a919cd6f9affbf80be6a8cd8a6430caa43cce139dbbed464bb279689596

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9db33af2c5a772f8e6f8101d6b32ab88

SHA1
ccc0433fc48bfe38328ebad997b8f9d34e11aa6f

SHA256
f02920aa46d7caaf975887a672ef2e7768f2cc51c6d15260a8546eee9246e6e1

SHA512
d17cfbd9b5d41075dd972153175b48024be5bac7f7cfdc1f1e6ffd097c73bcd3d3167b3e899f4696e539b7949eb5d58b26bb84ed2b509cf0effde37042c7af1a

Download Submit
memory/1248-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1964-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3644-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3644-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3644-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3644-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3644-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3644-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3644-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3916-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3916-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3916-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3916-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4268-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4268-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4696-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4696-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4944-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4944-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download