neconyd | 2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe
Size

96KB
MD5

94db6bb5e7fcf3f787783b451cc4e758
SHA1

2cc1a4f04f2a834bfd0d7d5e12e5bf8bfbbec968
SHA256

2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5
SHA512

142aafcd976eeb76021766d69fa63210b4afe402feb41a877939d386025537b9397c2192a0c0869c014b20808388894eb95d0648310243893aa8fb3e89d19b79
SSDEEP

1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:UGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1556	omsecor.exe
2472	omsecor.exe
916	omsecor.exe
4564	omsecor.exe
4500	omsecor.exe
4472	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 4908	1312	2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe	83
PID 1556 set thread context of 2472	1556	omsecor.exe	87
PID 916 set thread context of 4564	916	omsecor.exe	110
PID 4500 set thread context of 4472	4500	omsecor.exe	114

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4324	1312	WerFault.exe	82
3076	1556	WerFault.exe	86
4844	916	WerFault.exe	109
4848	4500	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 4908	1312	2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe	83
PID 1312 wrote to memory of 4908	1312	2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe	83
PID 1312 wrote to memory of 4908	1312	2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe	83
PID 1312 wrote to memory of 4908	1312	2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe	83
PID 1312 wrote to memory of 4908	1312	2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe	83
PID 4908 wrote to memory of 1556	4908	2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe	86
PID 4908 wrote to memory of 1556	4908	2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe	86
PID 4908 wrote to memory of 1556	4908	2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe	86
PID 1556 wrote to memory of 2472	1556	omsecor.exe	87
PID 1556 wrote to memory of 2472	1556	omsecor.exe	87
PID 1556 wrote to memory of 2472	1556	omsecor.exe	87
PID 1556 wrote to memory of 2472	1556	omsecor.exe	87
PID 1556 wrote to memory of 2472	1556	omsecor.exe	87
PID 2472 wrote to memory of 916	2472	omsecor.exe	109
PID 2472 wrote to memory of 916	2472	omsecor.exe	109
PID 2472 wrote to memory of 916	2472	omsecor.exe	109
PID 916 wrote to memory of 4564	916	omsecor.exe	110
PID 916 wrote to memory of 4564	916	omsecor.exe	110
PID 916 wrote to memory of 4564	916	omsecor.exe	110
PID 916 wrote to memory of 4564	916	omsecor.exe	110
PID 916 wrote to memory of 4564	916	omsecor.exe	110
PID 4564 wrote to memory of 4500	4564	omsecor.exe	112
PID 4564 wrote to memory of 4500	4564	omsecor.exe	112
PID 4564 wrote to memory of 4500	4564	omsecor.exe	112
PID 4500 wrote to memory of 4472	4500	omsecor.exe	114
PID 4500 wrote to memory of 4472	4500	omsecor.exe	114
PID 4500 wrote to memory of 4472	4500	omsecor.exe	114
PID 4500 wrote to memory of 4472	4500	omsecor.exe	114
PID 4500 wrote to memory of 4472	4500	omsecor.exe	114

C:\Users\Admin\AppData\Local\Temp\2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe
"C:\Users\Admin\AppData\Local\Temp\2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe
  C:\Users\Admin\AppData\Local\Temp\2f1188d9fd663b3fbc33bda75bca8dacc9f54d1bc70296d7cab00d55391812d5.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 256
        8⤵
        Program crash
        
        PID:4848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 296
        6⤵
        Program crash
        
        PID:4844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 300
      4⤵
      Program crash
      PID:3076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 300
  2⤵
  - Program crash
  PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1312 -ip 1312
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1556 -ip 1556
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 916 -ip 916
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4500 -ip 4500
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f81f04cca62679cee0bd5ecbcb26fbe0

SHA1
4ef5ff914e5182a00461164f77db69ab8bd50007

SHA256
796115881644ae603190528388c8e024052ec2670a94e8fa36dba19b189b4392

SHA512
aa78f84fe4a5f45db44687cdc17e08a7973b28f49e6ef1a297a3cc0eb3c6fe7fca503bb0aff6ec0563697c8ae3e4697ea4e66f8362c8ac698dec153185f02715

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
cd5180502d9e180169dd69b344d62558

SHA1
873e0e7f81457f90fd4cf87c739a43b6820f9039

SHA256
a800edd6d7ac59c35b3c0c9dcfeb803baa8319b9842177d6eaffa648e9f6d7b3

SHA512
f2a65a8ca2c390ca127827de3ece1b6b7824661a400fcc32e617fc9e94b304f65a294db2c7bebeb7e8e6301ed2b0f8b8620ae67fb27648372bd58d758848d01f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f65a658ae7babc74c7e742376a7a7097

SHA1
b9e217c321ae45819ed75f6afd8111074fdc794e

SHA256
990e2cb99225fc822c573d8cbd353817b05f5f9e668eee3c89760d89b005f757

SHA512
58e83b0a129481c824d1c251f4b7bf51623741ce59fcafec60839bb1449a818c65f1142aa971699678f63ed507c7fa8559691538abd4d4be57ee811e6d8a52da

Download Submit
memory/916-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/916-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1312-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1312-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1556-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1556-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2472-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2472-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2472-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2472-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2472-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2472-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2472-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4472-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4472-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4472-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4472-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4500-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4564-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4564-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4564-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4908-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4908-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4908-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4908-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download