neconyd | 739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
Size

96KB
MD5

080594bcf7871f91672db59210446840
SHA1

f831d47f2d7ea176b6b41e88b5318167ade5b450
SHA256

739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42
SHA512

19ae0b3a739a1f27a2e702c2fb8d23f8a14eeb9eed537e177276b0fdae90eaf118ec319048b6517bddcb448bec988688d50b425ebc4e82402fe1decd89974639
SSDEEP

1536:5nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:5Gs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4008	omsecor.exe
4420	omsecor.exe
368	omsecor.exe
1292	omsecor.exe
4376	omsecor.exe
540	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1604 set thread context of 2444	1604	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	83
PID 4008 set thread context of 4420	4008	omsecor.exe	87
PID 368 set thread context of 1292	368	omsecor.exe	109
PID 4376 set thread context of 540	4376	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
936	1604	WerFault.exe	82
2004	4008	WerFault.exe	86
4584	368	WerFault.exe	108
2400	4376	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2444	1604	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	83
PID 1604 wrote to memory of 2444	1604	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	83
PID 1604 wrote to memory of 2444	1604	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	83
PID 1604 wrote to memory of 2444	1604	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	83
PID 1604 wrote to memory of 2444	1604	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	83
PID 2444 wrote to memory of 4008	2444	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	86
PID 2444 wrote to memory of 4008	2444	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	86
PID 2444 wrote to memory of 4008	2444	739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe	86
PID 4008 wrote to memory of 4420	4008	omsecor.exe	87
PID 4008 wrote to memory of 4420	4008	omsecor.exe	87
PID 4008 wrote to memory of 4420	4008	omsecor.exe	87
PID 4008 wrote to memory of 4420	4008	omsecor.exe	87
PID 4008 wrote to memory of 4420	4008	omsecor.exe	87
PID 4420 wrote to memory of 368	4420	omsecor.exe	108
PID 4420 wrote to memory of 368	4420	omsecor.exe	108
PID 4420 wrote to memory of 368	4420	omsecor.exe	108
PID 368 wrote to memory of 1292	368	omsecor.exe	109
PID 368 wrote to memory of 1292	368	omsecor.exe	109
PID 368 wrote to memory of 1292	368	omsecor.exe	109
PID 368 wrote to memory of 1292	368	omsecor.exe	109
PID 368 wrote to memory of 1292	368	omsecor.exe	109
PID 1292 wrote to memory of 4376	1292	omsecor.exe	111
PID 1292 wrote to memory of 4376	1292	omsecor.exe	111
PID 1292 wrote to memory of 4376	1292	omsecor.exe	111
PID 4376 wrote to memory of 540	4376	omsecor.exe	113
PID 4376 wrote to memory of 540	4376	omsecor.exe	113
PID 4376 wrote to memory of 540	4376	omsecor.exe	113
PID 4376 wrote to memory of 540	4376	omsecor.exe	113
PID 4376 wrote to memory of 540	4376	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
"C:\Users\Admin\AppData\Local\Temp\739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
  C:\Users\Admin\AppData\Local\Temp\739b78ad0a55b39f776d3f584306fc12de6b7ed187f59c4213dba46fd51b6f42N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:368
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 256
        8⤵
        Program crash
        
        PID:2400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 292
        6⤵
        Program crash
        
        PID:4584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 304
      4⤵
      Program crash
      PID:2004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 252
  2⤵
  - Program crash
  PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1604 -ip 1604
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4008 -ip 4008
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 368 -ip 368
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4376 -ip 4376
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f80d35de242cc639090766666861eba3

SHA1
41e393986936b9bec68a412008c12e68222c6872

SHA256
c58f99a78efb58a3f70072914a1e9bbcc6849df5ee64d845c8db488c9519fb7e

SHA512
bb8b07a5560ee37b122b60c26327acf7f5e620394057a61a38fd6cab52746793a7fd193e6987c75abe9f5e397c684b13f6cf0e2550481686ce8bfd1fbbc054ab

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
70eed2c6a8c9f63917f1ed0eac86a39e

SHA1
8ead821ad2cbe5a41aa244d4003f5bb1f4fffaca

SHA256
520334db5d4fa1f2bf193e8f808ec37f668f638db17fdb9ef8f2846727ee7c54

SHA512
a6c1b167260b7fddfaad963096fc9f01c30d7cabc11faeadec69845fd22e867f8e431335e6404781d28169549a794f942ae3f16960b064eecc1df6fad3c2c3a7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
ddba636c73bf4ac778d735800335cbb3

SHA1
a1a81ffb87c7b6496eb6556093dc1eb4429bc956

SHA256
5b4aa3a79c4502a1389d12826eebd6e5545a4ee6d1c523aed3d87bbc11e5fa19

SHA512
b7f5fa35984acff22e7e594b69ec4fe81360cbffde17e9c78fe9b6359161b51acbb5ab14d5f9bd74371c7b17223542bdcd59143efdf758ac7dd5b100543180f2

Download Submit
memory/368-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/368-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/540-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1292-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1292-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1292-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1604-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2444-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2444-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2444-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2444-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4008-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4008-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4376-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4376-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4420-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download