neconyd | 1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
Size

96KB
MD5

d859eddc3229abfa0ad3979a10e73800
SHA1

57e3e460dbdb277bec56b892f27d24b01a308bee
SHA256

1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1
SHA512

0795e2fe740b2e80da864518db47ab0e884380e6357e5c7b78f7054ace55f3f7f463faa03e9f112670f41fa79e8343bd0b0b9dbe36f20e94cb0c2aaa7aa67a02
SSDEEP

1536:qnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:qGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2612	omsecor.exe
4548	omsecor.exe
4492	omsecor.exe
4840	omsecor.exe
2524	omsecor.exe
4732	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 1432	1704	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	82
PID 2612 set thread context of 4548	2612	omsecor.exe	86
PID 4492 set thread context of 4840	4492	omsecor.exe	100
PID 2524 set thread context of 4732	2524	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3108	1704	WerFault.exe	81
3636	2612	WerFault.exe	84
3964	2524	WerFault.exe
3412	4492	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1432	1704	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	82
PID 1704 wrote to memory of 1432	1704	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	82
PID 1704 wrote to memory of 1432	1704	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	82
PID 1704 wrote to memory of 1432	1704	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	82
PID 1704 wrote to memory of 1432	1704	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	82
PID 1432 wrote to memory of 2612	1432	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	84
PID 1432 wrote to memory of 2612	1432	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	84
PID 1432 wrote to memory of 2612	1432	1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe	84
PID 2612 wrote to memory of 4548	2612	omsecor.exe	86
PID 2612 wrote to memory of 4548	2612	omsecor.exe	86
PID 2612 wrote to memory of 4548	2612	omsecor.exe	86
PID 2612 wrote to memory of 4548	2612	omsecor.exe	86
PID 2612 wrote to memory of 4548	2612	omsecor.exe	86
PID 4548 wrote to memory of 4492	4548	omsecor.exe	99
PID 4548 wrote to memory of 4492	4548	omsecor.exe	99
PID 4548 wrote to memory of 4492	4548	omsecor.exe	99
PID 4492 wrote to memory of 4840	4492	omsecor.exe	100
PID 4492 wrote to memory of 4840	4492	omsecor.exe	100
PID 4492 wrote to memory of 4840	4492	omsecor.exe	100
PID 4492 wrote to memory of 4840	4492	omsecor.exe	100
PID 4492 wrote to memory of 4840	4492	omsecor.exe	100
PID 4840 wrote to memory of 2524	4840	omsecor.exe	102
PID 4840 wrote to memory of 2524	4840	omsecor.exe	102
PID 4840 wrote to memory of 2524	4840	omsecor.exe	102
PID 2524 wrote to memory of 4732	2524	omsecor.exe	104
PID 2524 wrote to memory of 4732	2524	omsecor.exe	104
PID 2524 wrote to memory of 4732	2524	omsecor.exe	104
PID 2524 wrote to memory of 4732	2524	omsecor.exe	104
PID 2524 wrote to memory of 4732	2524	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
"C:\Users\Admin\AppData\Local\Temp\1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
  C:\Users\Admin\AppData\Local\Temp\1a3b86c91a20832fc5bd3637d4b511a21e94898b9bb65c363b82340f722507d1N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4492
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 256
        8⤵
        Program crash
        
        PID:3964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 292
        6⤵
        Program crash
        
        PID:3412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 288
      4⤵
      Program crash
      PID:3636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 296
  2⤵
  - Program crash
  PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1704 -ip 1704
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2612 -ip 2612
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4492 -ip 4492
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2524 -ip 2524
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
30b2140f6474f91687e3fe2883628eec

SHA1
dfa56d29f2a80aa56fba8c2c08d16d468dd46e93

SHA256
7cb85582b0f04b6b26e1e5a075566b857a74ef1227aa2f002646f3bc0651f39e

SHA512
e729f4be206ae01b08d53a030e567fa32766c69fa7fa52884438d8397d88ed08c67c3c7d7e5b3a82c5c508f5475cd01a6a6d738fb2f9d327d64b6f9fda0f2308

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
204856c14e20765765c94991ef77d099

SHA1
ae5caff388434a93a4d0b9136de306486c1afec8

SHA256
07679811f4b7c3141681832bb8f704ecea2e6b0938cdb39d934a81877b9894a9

SHA512
21c60207639916f2a2ac668df981bfa1faab26ab04544d2af6d2463ac62abddbec4292adbb8b70ab51553271eee280bcabf34e2631725d5b54aaf4dbdf4de84a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2b1465fdea6049ff91d3a62f5bcdb922

SHA1
570500ba1013ac4040eaee4201d82289a418f8c6

SHA256
72c5094a8cac36ffd8219f611d6dcf87df2396030c4adf066d1a6061f5c24e23

SHA512
688a661f616147dabf7088ed164d48e68a40d43605c212fe478f3971f9eff3261fbf52a852c618fda5e5e41871b6ef1aa32e36ea60bb2434c011da9cfc4dc02e

Download Submit
memory/1432-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1432-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1432-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1432-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1704-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1704-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2524-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2524-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2612-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2612-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4492-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4492-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4548-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4732-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4732-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4732-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4840-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4840-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4840-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download