neconyd | 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9d

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe
Size

134KB
MD5

ef7dc6be4eb3b062cea32a16250b4330
SHA1

42e0d5032f4df88c0b386d53b0899ddaec3e93d9
SHA256

1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9d
SHA512

b3df8f230dc6cb74e49445990980f42d2ec0c4f49b5c4786f82e54d0be15939f23993ed2d15d4e8a049f296d5fbfa02825a32271d3e4cd829a6b2af669630cd3
SSDEEP

1536:8DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiH:iiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2700	omsecor.exe
3416	omsecor.exe
4896	omsecor.exe
4424	omsecor.exe
1924	omsecor.exe
3392	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 1832	2304	1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe	84
PID 2700 set thread context of 3416	2700	omsecor.exe	89
PID 4896 set thread context of 4424	4896	omsecor.exe	110
PID 1924 set thread context of 3392	1924	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2292	2304	WerFault.exe	83
4100	2700	WerFault.exe	87
700	4896	WerFault.exe	109
2980	1924	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1832	2304	1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe	84
PID 2304 wrote to memory of 1832	2304	1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe	84
PID 2304 wrote to memory of 1832	2304	1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe	84
PID 2304 wrote to memory of 1832	2304	1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe	84
PID 2304 wrote to memory of 1832	2304	1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe	84
PID 1832 wrote to memory of 2700	1832	1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe	87
PID 1832 wrote to memory of 2700	1832	1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe	87
PID 1832 wrote to memory of 2700	1832	1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe	87
PID 2700 wrote to memory of 3416	2700	omsecor.exe	89
PID 2700 wrote to memory of 3416	2700	omsecor.exe	89
PID 2700 wrote to memory of 3416	2700	omsecor.exe	89
PID 2700 wrote to memory of 3416	2700	omsecor.exe	89
PID 2700 wrote to memory of 3416	2700	omsecor.exe	89
PID 3416 wrote to memory of 4896	3416	omsecor.exe	109
PID 3416 wrote to memory of 4896	3416	omsecor.exe	109
PID 3416 wrote to memory of 4896	3416	omsecor.exe	109
PID 4896 wrote to memory of 4424	4896	omsecor.exe	110
PID 4896 wrote to memory of 4424	4896	omsecor.exe	110
PID 4896 wrote to memory of 4424	4896	omsecor.exe	110
PID 4896 wrote to memory of 4424	4896	omsecor.exe	110
PID 4896 wrote to memory of 4424	4896	omsecor.exe	110
PID 4424 wrote to memory of 1924	4424	omsecor.exe	112
PID 4424 wrote to memory of 1924	4424	omsecor.exe	112
PID 4424 wrote to memory of 1924	4424	omsecor.exe	112
PID 1924 wrote to memory of 3392	1924	omsecor.exe	113
PID 1924 wrote to memory of 3392	1924	omsecor.exe	113
PID 1924 wrote to memory of 3392	1924	omsecor.exe	113
PID 1924 wrote to memory of 3392	1924	omsecor.exe	113
PID 1924 wrote to memory of 3392	1924	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe
"C:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe
  C:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 268
        8⤵
        Program crash
        
        PID:2980
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 300
        6⤵
        Program crash
        
        PID:700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 292
      4⤵
      Program crash
      PID:4100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 300
  2⤵
  - Program crash
  PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2304 -ip 2304
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2700 -ip 2700
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4896 -ip 4896
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1924 -ip 1924
1⤵
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
94362bd0c6f00272658c32a4bfffcf5f

SHA1
dbf49a6c6fde856b772221da5b5978dff64f7a58

SHA256
b29ce69e20e3dc191cdeb3c240907eebb02fe1c8b8bd3e5f552e4f32b92ea8dc

SHA512
8c89b241bebc01decaba662edf8f9c07a31d8932f6c854d962725ac6f2246e5d608d037fe15d6ba0acd4ccabed55d571359dbadc1719edcf57d7602686ec105b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
877734ddc962cb783fa2cc4a79624d15

SHA1
cc589ebfa2c4d447bb1b946c12e7a3722d2c480e

SHA256
a264696575c1bd19e11291f117e2b90fd4e8639d07a6d4501ea6d79fbaba002f

SHA512
f844b3150b3d689d3c33ca2decbaf7a4d8313e6c81fb116d8ba755c08d452e7106934f90439ea06ec7ccb4ca2f0832bd981d4b6bc9efbfa21f139ea3cb2ebffb

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
1723c4f73408e95a770ef32f42fb7d06

SHA1
2d8e8d2a86028e09ea3585e286dde689b46e91bc

SHA256
5d0e9f87342d53524de0e2ddee6805bf884f8c32bd4d26f6d3402c76895510e5

SHA512
e1eca9586b215f4091dbb2c23e2196e45f4f45a439f6000719dc5967b26d9cf976097b81c30919c1295995345fa0e5591bdea57382af600c19ce12a951f01662

Download Submit
memory/1832-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1832-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1832-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1832-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1924-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2304-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2304-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2700-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2700-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3392-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3416-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3416-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3416-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3416-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3416-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3416-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3416-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4424-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4424-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4424-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4896-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4896-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download