neconyd | 0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
Size

96KB
MD5

9da845581bd68245737dedb0d1a076b0
SHA1

d1d9565288a7b77490fbaf25ef791d1b0d3ddedc
SHA256

0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34
SHA512

ea60d528113adef17a43affc1d564bf0da2c4962d1b08ea8a98a40d6907fee221a52bec3058211717cdd2db50cd688aaf467dcd99586ef4a32d74f1396ca801e
SSDEEP

1536:NnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:NGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4204	omsecor.exe
1504	omsecor.exe
1520	omsecor.exe
1280	omsecor.exe
1160	omsecor.exe
3732	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5008 set thread context of 540	5008	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	85
PID 4204 set thread context of 1504	4204	omsecor.exe	90
PID 1520 set thread context of 1280	1520	omsecor.exe	110
PID 1160 set thread context of 3732	1160	omsecor.exe	114

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4496	5008	WerFault.exe	84
3584	4204	WerFault.exe	88
3504	1520	WerFault.exe	109
4568	1160	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 540	5008	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	85
PID 5008 wrote to memory of 540	5008	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	85
PID 5008 wrote to memory of 540	5008	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	85
PID 5008 wrote to memory of 540	5008	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	85
PID 5008 wrote to memory of 540	5008	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	85
PID 540 wrote to memory of 4204	540	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	88
PID 540 wrote to memory of 4204	540	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	88
PID 540 wrote to memory of 4204	540	0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe	88
PID 4204 wrote to memory of 1504	4204	omsecor.exe	90
PID 4204 wrote to memory of 1504	4204	omsecor.exe	90
PID 4204 wrote to memory of 1504	4204	omsecor.exe	90
PID 4204 wrote to memory of 1504	4204	omsecor.exe	90
PID 4204 wrote to memory of 1504	4204	omsecor.exe	90
PID 1504 wrote to memory of 1520	1504	omsecor.exe	109
PID 1504 wrote to memory of 1520	1504	omsecor.exe	109
PID 1504 wrote to memory of 1520	1504	omsecor.exe	109
PID 1520 wrote to memory of 1280	1520	omsecor.exe	110
PID 1520 wrote to memory of 1280	1520	omsecor.exe	110
PID 1520 wrote to memory of 1280	1520	omsecor.exe	110
PID 1520 wrote to memory of 1280	1520	omsecor.exe	110
PID 1520 wrote to memory of 1280	1520	omsecor.exe	110
PID 1280 wrote to memory of 1160	1280	omsecor.exe	112
PID 1280 wrote to memory of 1160	1280	omsecor.exe	112
PID 1280 wrote to memory of 1160	1280	omsecor.exe	112
PID 1160 wrote to memory of 3732	1160	omsecor.exe	114
PID 1160 wrote to memory of 3732	1160	omsecor.exe	114
PID 1160 wrote to memory of 3732	1160	omsecor.exe	114
PID 1160 wrote to memory of 3732	1160	omsecor.exe	114
PID 1160 wrote to memory of 3732	1160	omsecor.exe	114

C:\Users\Admin\AppData\Local\Temp\0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
"C:\Users\Admin\AppData\Local\Temp\0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
  C:\Users\Admin\AppData\Local\Temp\0712dc18be5941863fe5ca13d5e75c0265ed690eb33d3171cc999201fc5cbf34N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 264
        8⤵
        Program crash
        
        PID:4568
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 292
        6⤵
        Program crash
        
        PID:3504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 292
      4⤵
      Program crash
      PID:3584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 288
  2⤵
  - Program crash
  PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5008 -ip 5008
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4204 -ip 4204
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1520 -ip 1520
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1160 -ip 1160
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f33a1ce5ac84cc2211e6a90e69aeace6

SHA1
6866279eda65d1d3605a6af64a53525923152594

SHA256
c3412db9e1629cc8a304e0177163ec0e12a798c15e840bc7e51e281ae3f1c73b

SHA512
87a3812236f146d5c0e8e1e91f4104707ecd7dc8eab218fba6eb1352adacf238ceae8ce052bc35172e020711318b62a5eb03014027addc64adebce2b2c96fb49

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8e2dab8d5af3bf25872671a740595ca4

SHA1
577868aef477d2cf3ff0c8fa28feac6b1962ebbc

SHA256
6f2900ffa9b536cfebc6d17779c052ae54c6354b8f0568a6a9998c9b9ea6019e

SHA512
df5fd77bc81847fd18072be0b42a792a8b396ed573aa87a48682c8e999875752bbd544aa4f3dc330e5958920ef1ef457a1685cdab3436874de3e552940758e4d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
30949542e3cacffd82cdd50be6085d46

SHA1
5ad408ca5c55b872fb43379eb0420ba78989e975

SHA256
ab44cfcf7240c8b0d6183d2325431e06935be1793707edb01cd43bd166bd6cb7

SHA512
f48144eb547a665aff5d24cec2c1cbae965a0b6c0342c1771443430434a8945a60512e56c9cc0072cb9093e85c4dad22d0f6b6c496d998c396e3cf9e9d2a496a

Download Submit
memory/540-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1280-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1504-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1504-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1504-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1504-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1504-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1504-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1504-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1520-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1520-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3732-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3732-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3732-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4204-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5008-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5008-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download