neconyd | f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591c

Analysis

max time kernel
112s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
Size

96KB
MD5

065819ff293446c42805e107e60b27f0
SHA1

61e2b3344bb017cecbe99b200ba68c5492147d50
SHA256

f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591c
SHA512

92a7da14d2a3ce97f96d1c52de18a1b6a4de3a078e6e671578893d5ad54b3b5da46f26fda01415fca15eeb1bb92c1f70d248f682bf3e48bcd795e3ed3d0cb5f1
SSDEEP

1536:VnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:VGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1412	omsecor.exe
3864	omsecor.exe
3424	omsecor.exe
1048	omsecor.exe
4416	omsecor.exe
652	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1384 set thread context of 1580	1384	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	83
PID 1412 set thread context of 3864	1412	omsecor.exe	88
PID 3424 set thread context of 1048	3424	omsecor.exe	109
PID 4416 set thread context of 652	4416	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3888	1384	WerFault.exe	82
3508	1412	WerFault.exe	85
1248	3424	WerFault.exe	108
464	4416	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1580	1384	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	83
PID 1384 wrote to memory of 1580	1384	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	83
PID 1384 wrote to memory of 1580	1384	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	83
PID 1384 wrote to memory of 1580	1384	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	83
PID 1384 wrote to memory of 1580	1384	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	83
PID 1580 wrote to memory of 1412	1580	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	85
PID 1580 wrote to memory of 1412	1580	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	85
PID 1580 wrote to memory of 1412	1580	f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe	85
PID 1412 wrote to memory of 3864	1412	omsecor.exe	88
PID 1412 wrote to memory of 3864	1412	omsecor.exe	88
PID 1412 wrote to memory of 3864	1412	omsecor.exe	88
PID 1412 wrote to memory of 3864	1412	omsecor.exe	88
PID 1412 wrote to memory of 3864	1412	omsecor.exe	88
PID 3864 wrote to memory of 3424	3864	omsecor.exe	108
PID 3864 wrote to memory of 3424	3864	omsecor.exe	108
PID 3864 wrote to memory of 3424	3864	omsecor.exe	108
PID 3424 wrote to memory of 1048	3424	omsecor.exe	109
PID 3424 wrote to memory of 1048	3424	omsecor.exe	109
PID 3424 wrote to memory of 1048	3424	omsecor.exe	109
PID 3424 wrote to memory of 1048	3424	omsecor.exe	109
PID 3424 wrote to memory of 1048	3424	omsecor.exe	109
PID 1048 wrote to memory of 4416	1048	omsecor.exe	111
PID 1048 wrote to memory of 4416	1048	omsecor.exe	111
PID 1048 wrote to memory of 4416	1048	omsecor.exe	111
PID 4416 wrote to memory of 652	4416	omsecor.exe	113
PID 4416 wrote to memory of 652	4416	omsecor.exe	113
PID 4416 wrote to memory of 652	4416	omsecor.exe	113
PID 4416 wrote to memory of 652	4416	omsecor.exe	113
PID 4416 wrote to memory of 652	4416	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
"C:\Users\Admin\AppData\Local\Temp\f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
  C:\Users\Admin\AppData\Local\Temp\f34eb9924850254d8ad5eb74c0c98e0c8d4f39b93dd9aadc74c20d72a3ef591cN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3424
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 256
        8⤵
        Program crash
        
        PID:464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 292
        6⤵
        Program crash
        
        PID:1248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 288
      4⤵
      Program crash
      PID:3508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 288
  2⤵
  - Program crash
  PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1384 -ip 1384
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1412 -ip 1412
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3424 -ip 3424
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4416 -ip 4416
1⤵
PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b895a52baaaaf06aae82bdf11182f0cc

SHA1
da5d9c5e7715e2a0e4791048dbc457b63e5c9fdf

SHA256
56473abed83889fa68584427086953f838ad853d926875b7366eae43e6a50095

SHA512
76f815be8fae19c76bafe267f4909d1164431c438c37d4169bd855ab152cce9fef0a192d02bba2b7db29fbc6507b860afeef23447e589fb4fe46a130e7cd30ce

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a8b9875c7d5fe866552b7352ffc29cda

SHA1
f76498df8320f5c683a4685ecb45261ee9b7dd1e

SHA256
dd449b40c1e6f57a4dd3c2293995fe4768ca41dd0be29a57aa9668c421999fb3

SHA512
914a9072b6494769e005b1e5f1c98fbcb65d843ecd7c474916eb8b484a85b1961171ce7d44d4ae0859f45e543b8db75c6f6c150d193d783ceb8eaf07cb87403b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
dbd6049682b36dd754c5f745b35f2e38

SHA1
c4630bcdae7effb5e4843143fff77dab577b2685

SHA256
6907322c02c525a31a5b22f814c4877b2dc77c2255ce80d5d468facad40b6b54

SHA512
a248f97d1107cb1dc9a20ce54dd8416af6e10e14471bfe4d70c0e8d97017994d7bb0a0b355f5a432a125d99e68cc35d56aa8a20862fe6f33541c51a3e4741494

Download Submit
memory/652-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/652-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/652-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1384-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1384-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1412-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1580-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1580-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1580-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1580-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3424-36-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3424-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3864-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4416-47-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download