neconyd | 6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
Size

96KB
MD5

8fc5f68cde19d34cf651fc419d9e231e
SHA1

ad35d560d15cb94f688f6caeceb72dce1870f059
SHA256

6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4
SHA512

86a8dc65e2f15ca424059ea67235a4b183fc7a3986b87495ebf114d7a665187032f7f226b72d2dee26fb4692b42c6a6bc213184c3717c18847ee71797a7f0aa5
SSDEEP

1536:LnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx6:LGs8cd8eXlYairZYqMddH136

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1496	omsecor.exe
5044	omsecor.exe
1720	omsecor.exe
3948	omsecor.exe
2016	omsecor.exe
4076	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4668 set thread context of 2036	4668	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	83
PID 1496 set thread context of 5044	1496	omsecor.exe	88
PID 1720 set thread context of 3948	1720	omsecor.exe	108
PID 2016 set thread context of 4076	2016	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2324	4668	WerFault.exe	82
4268	1496	WerFault.exe	85
2216	1720	WerFault.exe	107
3556	2016	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2036	4668	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	83
PID 4668 wrote to memory of 2036	4668	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	83
PID 4668 wrote to memory of 2036	4668	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	83
PID 4668 wrote to memory of 2036	4668	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	83
PID 4668 wrote to memory of 2036	4668	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	83
PID 2036 wrote to memory of 1496	2036	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	85
PID 2036 wrote to memory of 1496	2036	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	85
PID 2036 wrote to memory of 1496	2036	6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe	85
PID 1496 wrote to memory of 5044	1496	omsecor.exe	88
PID 1496 wrote to memory of 5044	1496	omsecor.exe	88
PID 1496 wrote to memory of 5044	1496	omsecor.exe	88
PID 1496 wrote to memory of 5044	1496	omsecor.exe	88
PID 1496 wrote to memory of 5044	1496	omsecor.exe	88
PID 5044 wrote to memory of 1720	5044	omsecor.exe	107
PID 5044 wrote to memory of 1720	5044	omsecor.exe	107
PID 5044 wrote to memory of 1720	5044	omsecor.exe	107
PID 1720 wrote to memory of 3948	1720	omsecor.exe	108
PID 1720 wrote to memory of 3948	1720	omsecor.exe	108
PID 1720 wrote to memory of 3948	1720	omsecor.exe	108
PID 1720 wrote to memory of 3948	1720	omsecor.exe	108
PID 1720 wrote to memory of 3948	1720	omsecor.exe	108
PID 3948 wrote to memory of 2016	3948	omsecor.exe	110
PID 3948 wrote to memory of 2016	3948	omsecor.exe	110
PID 3948 wrote to memory of 2016	3948	omsecor.exe	110
PID 2016 wrote to memory of 4076	2016	omsecor.exe	112
PID 2016 wrote to memory of 4076	2016	omsecor.exe	112
PID 2016 wrote to memory of 4076	2016	omsecor.exe	112
PID 2016 wrote to memory of 4076	2016	omsecor.exe	112
PID 2016 wrote to memory of 4076	2016	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
"C:\Users\Admin\AppData\Local\Temp\6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
  C:\Users\Admin\AppData\Local\Temp\6bc419bdef541e710b923044c31bbcb1b2ce2af98135333aefe0869d00d2e2e4.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 256
        8⤵
        Program crash
        
        PID:3556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 292
        6⤵
        Program crash
        
        PID:2216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 288
      4⤵
      Program crash
      PID:4268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 288
  2⤵
  - Program crash
  PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4668 -ip 4668
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1496 -ip 1496
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1720 -ip 1720
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2016 -ip 2016
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
078293991c51d4689e6869d7869190ce

SHA1
cfe4a05c6218de036515379646411b7880bb027e

SHA256
58c15304bf1fb060f81f75aeccaa7c032ae3673315a24f0f52c00a0f1b853e11

SHA512
8b211e94817f8e1ccf63bbcaf60f5306fad89e7b90ecca38aee08fd124c07c9337526f7e358e10760996c58e1834218fa637e27f5f778e81dcec3fc57fe688fd

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
902b56eb9f3314f4b7480a686391e90f

SHA1
17e3a093343ef6876ce9d1a96ffc62526cd88645

SHA256
0a7eda8c40b0c712fd02e1fa13c97a102e19d8879f302e314b7c5ecae26b00e5

SHA512
ef50e86673ca11c08da80697d633e8cee5a6c4d2e99c5fc1c104852d640a2a5d1ee456119dea1148a8fe28347f55a71586938930996b645351a3c1e3b7178393

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
abeeadd0b52e29ff50c327a22c47998b

SHA1
27d1b12f27c172a0867693a8a15cec9066ccda0e

SHA256
9b5a32309f101824aced086f9ceeb7ea4c3203393d1c46bc2644d9bdb3a1e540

SHA512
7ef3dd5a5a1b3dd21a8be75098bdbf6b6b5b672ad727e825982462f45e3664e6af159447581eee09599c11c4bfbd56b01baf9ab408484f11c7d606b06502f773

Download Submit
memory/1496-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1720-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1720-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2016-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2036-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4076-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4076-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4076-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4668-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4668-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5044-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5044-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5044-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5044-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5044-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5044-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5044-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download