neconyd | eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
Size

96KB
MD5

9077f406c77180e40d5be6e2c416b925
SHA1

4c5d516ee659ef093d3951de4bdf1e277e304aae
SHA256

eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543
SHA512

280c8fd447a7e3ba8ac811246f78f496efa06da24e9b8ec89fa8663fec3ef777452c36b610cf19586d4f9d943a4ba93f45bd0d41f43b8912823b44a7f00e1c06
SSDEEP

1536:onAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:oGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3476	omsecor.exe
3864	omsecor.exe
1488	omsecor.exe
1816	omsecor.exe
3048	omsecor.exe
2956	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 2260	1112	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	82
PID 3476 set thread context of 3864	3476	omsecor.exe	87
PID 1488 set thread context of 1816	1488	omsecor.exe	100
PID 3048 set thread context of 2956	3048	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1812	1112	WerFault.exe	81
2756	3476	WerFault.exe	84
1436	1488	WerFault.exe	99
1628	3048	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 2260	1112	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	82
PID 1112 wrote to memory of 2260	1112	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	82
PID 1112 wrote to memory of 2260	1112	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	82
PID 1112 wrote to memory of 2260	1112	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	82
PID 1112 wrote to memory of 2260	1112	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	82
PID 2260 wrote to memory of 3476	2260	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	84
PID 2260 wrote to memory of 3476	2260	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	84
PID 2260 wrote to memory of 3476	2260	eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe	84
PID 3476 wrote to memory of 3864	3476	omsecor.exe	87
PID 3476 wrote to memory of 3864	3476	omsecor.exe	87
PID 3476 wrote to memory of 3864	3476	omsecor.exe	87
PID 3476 wrote to memory of 3864	3476	omsecor.exe	87
PID 3476 wrote to memory of 3864	3476	omsecor.exe	87
PID 3864 wrote to memory of 1488	3864	omsecor.exe	99
PID 3864 wrote to memory of 1488	3864	omsecor.exe	99
PID 3864 wrote to memory of 1488	3864	omsecor.exe	99
PID 1488 wrote to memory of 1816	1488	omsecor.exe	100
PID 1488 wrote to memory of 1816	1488	omsecor.exe	100
PID 1488 wrote to memory of 1816	1488	omsecor.exe	100
PID 1488 wrote to memory of 1816	1488	omsecor.exe	100
PID 1488 wrote to memory of 1816	1488	omsecor.exe	100
PID 1816 wrote to memory of 3048	1816	omsecor.exe	102
PID 1816 wrote to memory of 3048	1816	omsecor.exe	102
PID 1816 wrote to memory of 3048	1816	omsecor.exe	102
PID 3048 wrote to memory of 2956	3048	omsecor.exe	104
PID 3048 wrote to memory of 2956	3048	omsecor.exe	104
PID 3048 wrote to memory of 2956	3048	omsecor.exe	104
PID 3048 wrote to memory of 2956	3048	omsecor.exe	104
PID 3048 wrote to memory of 2956	3048	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
"C:\Users\Admin\AppData\Local\Temp\eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
  C:\Users\Admin\AppData\Local\Temp\eaac3b63afb4b2ed7b1f2ac1b7474552059ddb471a9cb40661fd14edd1f77543.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 256
        8⤵
        Program crash
        
        PID:1628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 292
        6⤵
        Program crash
        
        PID:1436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 300
      4⤵
      Program crash
      PID:2756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 300
  2⤵
  - Program crash
  PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1112 -ip 1112
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3476 -ip 3476
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1488 -ip 1488
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3048 -ip 3048
1⤵
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
af5292160dc92f0f4037dac79b8ee591

SHA1
9c5c2c8c536d97cb006b6e584fed8ef516e3aac1

SHA256
b839229ca73811f08ed87dbdbcdc1b649ec759d8a07c0ea72e8499af9a8a3e11

SHA512
374dbb2fc8171862888d5df516eaa10473078cacb60626ae215fedd5d214e9424ac5c4ffb1f67697442f19c00ee8b23866a2470903f5aedfbc92ba8e9b474cc7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
036267cd3f8c64073ae67fb330140e98

SHA1
b1d13a60aae5500dbcb2b48daf3348e0807e125b

SHA256
07f12dd0c03a5c1427bb498ba6674dfb1152600ef60a7f2e7aaee9d987993227

SHA512
150b5536012f01452b6901d675343c2ea946e15a279bc653bc5b094a49e5d4e586bef9355124dd32e799c50f70b6c154ee58268fe7e7a81de2f6a44c75b43740

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
23699a03fa58dc07adf783476056929b

SHA1
febe6b89a9c3a61398a12a07c963653359956c4f

SHA256
e7d194f1bf06faad9461a986e9b7dbf4dfa84f08343aa1468a0fd8619289ff15

SHA512
41ea4eef50e51520b5ff5a8434cbb26986a5a250a3655ddc53ff6ce4736a0974caa7efea57bbba212ed4c7cb0610e53287e29f20722749e7897ac60628ce14c3

Download Submit
memory/1112-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1112-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1488-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1488-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1816-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1816-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1816-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2956-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2956-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2956-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2956-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3048-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3476-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3476-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3864-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download