neconyd | ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
Size

96KB
MD5

0264d14980661b47db76a17367a6e570
SHA1

9041277f7bc67bf0f5557561874e2f12c7aca851
SHA256

ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e
SHA512

1216acf5840aaf71c9d2dcb7bab8f64eadbde882200e2e1462f734268d7e52640de3a2ade1c33819b528cd564c94acec130ecf1d5d8797b2f2146c6f210fffed
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:QGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1136	omsecor.exe
3680	omsecor.exe
3144	omsecor.exe
3288	omsecor.exe
1272	omsecor.exe
1428	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 3088	2524	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	82
PID 1136 set thread context of 3680	1136	omsecor.exe	87
PID 3144 set thread context of 3288	3144	omsecor.exe	100
PID 1272 set thread context of 1428	1272	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3092	2524	WerFault.exe	81
1440	1136	WerFault.exe	84
1756	3144	WerFault.exe	99
2164	1272	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3088	2524	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	82
PID 2524 wrote to memory of 3088	2524	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	82
PID 2524 wrote to memory of 3088	2524	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	82
PID 2524 wrote to memory of 3088	2524	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	82
PID 2524 wrote to memory of 3088	2524	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	82
PID 3088 wrote to memory of 1136	3088	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	84
PID 3088 wrote to memory of 1136	3088	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	84
PID 3088 wrote to memory of 1136	3088	ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe	84
PID 1136 wrote to memory of 3680	1136	omsecor.exe	87
PID 1136 wrote to memory of 3680	1136	omsecor.exe	87
PID 1136 wrote to memory of 3680	1136	omsecor.exe	87
PID 1136 wrote to memory of 3680	1136	omsecor.exe	87
PID 1136 wrote to memory of 3680	1136	omsecor.exe	87
PID 3680 wrote to memory of 3144	3680	omsecor.exe	99
PID 3680 wrote to memory of 3144	3680	omsecor.exe	99
PID 3680 wrote to memory of 3144	3680	omsecor.exe	99
PID 3144 wrote to memory of 3288	3144	omsecor.exe	100
PID 3144 wrote to memory of 3288	3144	omsecor.exe	100
PID 3144 wrote to memory of 3288	3144	omsecor.exe	100
PID 3144 wrote to memory of 3288	3144	omsecor.exe	100
PID 3144 wrote to memory of 3288	3144	omsecor.exe	100
PID 3288 wrote to memory of 1272	3288	omsecor.exe	102
PID 3288 wrote to memory of 1272	3288	omsecor.exe	102
PID 3288 wrote to memory of 1272	3288	omsecor.exe	102
PID 1272 wrote to memory of 1428	1272	omsecor.exe	104
PID 1272 wrote to memory of 1428	1272	omsecor.exe	104
PID 1272 wrote to memory of 1428	1272	omsecor.exe	104
PID 1272 wrote to memory of 1428	1272	omsecor.exe	104
PID 1272 wrote to memory of 1428	1272	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
"C:\Users\Admin\AppData\Local\Temp\ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
  C:\Users\Admin\AppData\Local\Temp\ea313a0cdacfcf704d918d39a8d0ad9800f19e15832b7148bce7c8816e7ab53e.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3144
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 268
        8⤵
        Program crash
        
        PID:2164
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 300
        6⤵
        Program crash
        
        PID:1756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 292
      4⤵
      Program crash
      PID:1440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 288
  2⤵
  - Program crash
  PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2524 -ip 2524
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1136 -ip 1136
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3144 -ip 3144
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1272 -ip 1272
1⤵
PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d32bfaeb75d6a599658e6473f9dc6f97

SHA1
3f2e4af7a62a3ddae56a654ef2d5426892c0ed31

SHA256
f20deac1016d416ba955c6bbcb41da76061a2d279ada9d8fdfb28673f48758a2

SHA512
68aed0187c0a11845744c1b2991b3689aa706a77b11965827c58cc2a37e9dd7e234e7bf7b302d5f73b8320ac715e49911d8b806f996fb194475e8a9a06b229db

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d1298028b4d4f9b9918e50d5985ddc56

SHA1
a2da6a52111b7270b2502d4f55dbafdcb7534662

SHA256
d77c7f4c917974677df247b5e7b7c18d9bf3ea2ea726a3a514cdb2783ffd764b

SHA512
4a6fb383d9dad09b2cfe13d3232af4c26d3d09a51a34f769d1aea0124f0617e50cdc1aa99d721d9db86556824220e6b0752e5c1e9d7eb54632eda68aee1c40dd

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d82839d23b18f8f6311ca7b9dd75f634

SHA1
a355c4ef7ca5fddcb0887ad3a592eac24794bb3e

SHA256
5dc61818857e84a8f860bd2063f90a62938f8fd4e71fcf6e0e1b2e7d7dc4b97c

SHA512
803213add22871994f8e4c9af031a9854618c5268f8a08117ca06afacab7d8fd0ab4702660171648a02ad03841df342cfd894fd04a68349b46fae8dff6f6ce4c

Download Submit
memory/1136-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1272-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1272-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1428-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1428-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1428-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2524-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3088-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3088-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3088-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3088-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3144-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3144-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3288-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3288-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3288-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3680-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3680-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3680-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3680-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3680-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3680-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3680-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download