neconyd | 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
Size

96KB
MD5

52f894d5e05afd7a0c3e3f494103bd74
SHA1

39288ac93279ffffe529338f52a0662dfc3171c4
SHA256

75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da
SHA512

60b4f1f80a3dc940383e6cc677a12b0e933993b4c307e366dab961e3050b0c6afc138d852a487c5d671adc9a43c955eea77e98e2efa9b57ad0f4f46bd08da479
SSDEEP

1536:HnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:HGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1992	omsecor.exe
4064	omsecor.exe
1496	omsecor.exe
4784	omsecor.exe
3844	omsecor.exe
1876	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4324 set thread context of 2016	4324	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 1992 set thread context of 4064	1992	omsecor.exe	88
PID 1496 set thread context of 4784	1496	omsecor.exe	108
PID 3844 set thread context of 1876	3844	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4924	4324	WerFault.exe	82
4316	1992	WerFault.exe	85
2616	1496	WerFault.exe	107
4052	3844	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 2016	4324	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 4324 wrote to memory of 2016	4324	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 4324 wrote to memory of 2016	4324	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 4324 wrote to memory of 2016	4324	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 4324 wrote to memory of 2016	4324	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 2016 wrote to memory of 1992	2016	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	85
PID 2016 wrote to memory of 1992	2016	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	85
PID 2016 wrote to memory of 1992	2016	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	85
PID 1992 wrote to memory of 4064	1992	omsecor.exe	88
PID 1992 wrote to memory of 4064	1992	omsecor.exe	88
PID 1992 wrote to memory of 4064	1992	omsecor.exe	88
PID 1992 wrote to memory of 4064	1992	omsecor.exe	88
PID 1992 wrote to memory of 4064	1992	omsecor.exe	88
PID 4064 wrote to memory of 1496	4064	omsecor.exe	107
PID 4064 wrote to memory of 1496	4064	omsecor.exe	107
PID 4064 wrote to memory of 1496	4064	omsecor.exe	107
PID 1496 wrote to memory of 4784	1496	omsecor.exe	108
PID 1496 wrote to memory of 4784	1496	omsecor.exe	108
PID 1496 wrote to memory of 4784	1496	omsecor.exe	108
PID 1496 wrote to memory of 4784	1496	omsecor.exe	108
PID 1496 wrote to memory of 4784	1496	omsecor.exe	108
PID 4784 wrote to memory of 3844	4784	omsecor.exe	110
PID 4784 wrote to memory of 3844	4784	omsecor.exe	110
PID 4784 wrote to memory of 3844	4784	omsecor.exe	110
PID 3844 wrote to memory of 1876	3844	omsecor.exe	112
PID 3844 wrote to memory of 1876	3844	omsecor.exe	112
PID 3844 wrote to memory of 1876	3844	omsecor.exe	112
PID 3844 wrote to memory of 1876	3844	omsecor.exe	112
PID 3844 wrote to memory of 1876	3844	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
"C:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
  C:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 256
        8⤵
        Program crash
        
        PID:4052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 296
        6⤵
        Program crash
        
        PID:2616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 288
      4⤵
      Program crash
      PID:4316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 288
  2⤵
  - Program crash
  PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4324 -ip 4324
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1992 -ip 1992
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1496 -ip 1496
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3844 -ip 3844
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ed3768d379e3eb38226482f664e6e9c8

SHA1
4100b9970b5dffa3086fcd25c3375fcc1763affa

SHA256
5d7aa8171c8c90a25c7b542096d1451040daae5b6cb56b0d0758ec39d97a8d2e

SHA512
aedda74b64b63b1232b2e5c79db715080b3a6daffe348b2874ba603d3d99d318856bd50f878753f19cb83271f38516994662aa6442ea67eced2c557d7523e37a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
88ae9d0702a8a9df63390a9f61619b81

SHA1
f1d25aefeec7071b0b9a8fcb335f431e08b152d4

SHA256
cc0aa4a46f27081de7b809f8027abca8616f073fe0a65214c82a3649ebdb6886

SHA512
fc3e9150ec373405a18b448047ac86f3a72db98d7fa0d963839eee69af3d9a7fa4547d12f743d489fa0c165b9f7a9b2470d5d937511b40dd9984baf94652ec99

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
a531991a591fb44cf639c6098c463cd9

SHA1
0cf7f13679084f0ea516f29ab9681cd7de25de3a

SHA256
f3e48cf7b74a0603992ba4dbb8181cf25a80dab3fc938f14bf06656389577218

SHA512
b161440ee0bfaeb341c46375b22b7a94ab29712483de065a903ef8b3cabf4b3cd17f18c0ab1ff4aba82ac195a42a78cdae352f5d7718a620b1bccd124a4d43f5

Download Submit
memory/1496-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1876-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1876-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1992-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2016-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3844-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4064-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4064-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4064-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4064-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4064-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4064-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4064-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4324-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4324-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4784-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4784-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4784-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download