neconyd | 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022ae

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
Size

96KB
MD5

1ed206ccb847192d9a5bc700d2ce9f30
SHA1

8cd8f19f39ba976f4ae5260aa247b534dc78a7f7
SHA256

3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022ae
SHA512

ff27ddf559984e66e34dec8e88ba876a92b0103921bb0bbe53eabefc015079bf9ba6ed43d595ffcfb6b730a591a5fbc3e1e07e2ed21a01605f2e125e8c67a42a
SSDEEP

1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:4Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
5084	omsecor.exe
4192	omsecor.exe
4944	omsecor.exe
960	omsecor.exe
2080	omsecor.exe
4148	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 2460	2588	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	82
PID 5084 set thread context of 4192	5084	omsecor.exe	87
PID 4944 set thread context of 960	4944	omsecor.exe	93
PID 2080 set thread context of 4148	2080	omsecor.exe	97

Program crash 4 IoCs

pid	pid_target	Process	procid_target
876	5084	WerFault.exe
2212	2588	WerFault.exe	81
4056	4944	WerFault.exe	92
3280	2080	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2460	2588	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	82
PID 2588 wrote to memory of 2460	2588	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	82
PID 2588 wrote to memory of 2460	2588	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	82
PID 2588 wrote to memory of 2460	2588	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	82
PID 2588 wrote to memory of 2460	2588	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	82
PID 2460 wrote to memory of 5084	2460	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	85
PID 2460 wrote to memory of 5084	2460	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	85
PID 2460 wrote to memory of 5084	2460	3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe	85
PID 5084 wrote to memory of 4192	5084	omsecor.exe	87
PID 5084 wrote to memory of 4192	5084	omsecor.exe	87
PID 5084 wrote to memory of 4192	5084	omsecor.exe	87
PID 5084 wrote to memory of 4192	5084	omsecor.exe	87
PID 5084 wrote to memory of 4192	5084	omsecor.exe	87
PID 4192 wrote to memory of 4944	4192	omsecor.exe	92
PID 4192 wrote to memory of 4944	4192	omsecor.exe	92
PID 4192 wrote to memory of 4944	4192	omsecor.exe	92
PID 4944 wrote to memory of 960	4944	omsecor.exe	93
PID 4944 wrote to memory of 960	4944	omsecor.exe	93
PID 4944 wrote to memory of 960	4944	omsecor.exe	93
PID 4944 wrote to memory of 960	4944	omsecor.exe	93
PID 4944 wrote to memory of 960	4944	omsecor.exe	93
PID 960 wrote to memory of 2080	960	omsecor.exe	95
PID 960 wrote to memory of 2080	960	omsecor.exe	95
PID 960 wrote to memory of 2080	960	omsecor.exe	95
PID 2080 wrote to memory of 4148	2080	omsecor.exe	97
PID 2080 wrote to memory of 4148	2080	omsecor.exe	97
PID 2080 wrote to memory of 4148	2080	omsecor.exe	97
PID 2080 wrote to memory of 4148	2080	omsecor.exe	97
PID 2080 wrote to memory of 4148	2080	omsecor.exe	97

C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
"C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
  C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4944
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 256
        8⤵
        Program crash
        
        PID:3280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 292
        6⤵
        Program crash
        
        PID:4056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 300
      4⤵
      Program crash
      PID:876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 288
  2⤵
  - Program crash
  PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2588 -ip 2588
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5084 -ip 5084
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4944 -ip 4944
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2080 -ip 2080
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0bf3697d99de20472d9b6b82862cb331

SHA1
ebb63864c2ab28cfe35a585b37293abc6b79ec0b

SHA256
7656cf76e24aba694622607efa1d87ac36853d41e70d1c6d242caace354c4658

SHA512
24468738297c2e25992a31f7117744808b183f7eecb75c5391654350a774a6b45e1df884d660f8bc0e686ee6f7ad0d50e866224ac27fe1e6d5a0dde6f7ddaafc

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
da8034b506342218c1b5d69cd693d721

SHA1
39468ba17368db2515c6acca884ac8a546942b78

SHA256
a072734720a832eb10ab026d7057b3faef8e90a27c025306f4c85ad14ac03010

SHA512
dd0905fd5338cdce4ccad031d548bb78e0abd885ce47a153633a3402bbb7ce2efa5ae536894a7738c25c5ca4a76b5ed0fa8c12ee4ff005bd96037e5268afc651

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
ec90d1b118abb4494eefdb85b06772a5

SHA1
cc5c464ca47534e3c8e20a86b6e8a6e49e7d64dd

SHA256
5bea3b06cc144ffdf7a56e1e29ca114e27a0cea8038ebc7b572bffab93880610

SHA512
5b635f652c330967455494ec3391911fc3e1f5fd5c18f943f7a92dbba5f8b7dbb62e94b1939de72e8a7b156853dc9dd41e584adeef94e1f243a886fab1b3a925

Download Submit
memory/960-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/960-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/960-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2080-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2080-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2460-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2588-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2588-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4148-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4148-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4148-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4192-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4192-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4192-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4192-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4192-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4192-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4192-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4944-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4944-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5084-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5084-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download