neconyd | 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 21:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
Size

96KB
MD5

52f894d5e05afd7a0c3e3f494103bd74
SHA1

39288ac93279ffffe529338f52a0662dfc3171c4
SHA256

75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da
SHA512

60b4f1f80a3dc940383e6cc677a12b0e933993b4c307e366dab961e3050b0c6afc138d852a487c5d671adc9a43c955eea77e98e2efa9b57ad0f4f46bd08da479
SSDEEP

1536:HnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:HGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4088	omsecor.exe
4984	omsecor.exe
3432	omsecor.exe
2956	omsecor.exe
2984	omsecor.exe
5072	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4564 set thread context of 4868	4564	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 4088 set thread context of 4984	4088	omsecor.exe	88
PID 3432 set thread context of 2956	3432	omsecor.exe	96
PID 2984 set thread context of 5072	2984	omsecor.exe	100

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2324	4564	WerFault.exe	82
1920	4088	WerFault.exe	86
4348	3432	WerFault.exe	95
1420	2984	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 4868	4564	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 4564 wrote to memory of 4868	4564	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 4564 wrote to memory of 4868	4564	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 4564 wrote to memory of 4868	4564	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 4564 wrote to memory of 4868	4564	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	83
PID 4868 wrote to memory of 4088	4868	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	86
PID 4868 wrote to memory of 4088	4868	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	86
PID 4868 wrote to memory of 4088	4868	75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe	86
PID 4088 wrote to memory of 4984	4088	omsecor.exe	88
PID 4088 wrote to memory of 4984	4088	omsecor.exe	88
PID 4088 wrote to memory of 4984	4088	omsecor.exe	88
PID 4088 wrote to memory of 4984	4088	omsecor.exe	88
PID 4088 wrote to memory of 4984	4088	omsecor.exe	88
PID 4984 wrote to memory of 3432	4984	omsecor.exe	95
PID 4984 wrote to memory of 3432	4984	omsecor.exe	95
PID 4984 wrote to memory of 3432	4984	omsecor.exe	95
PID 3432 wrote to memory of 2956	3432	omsecor.exe	96
PID 3432 wrote to memory of 2956	3432	omsecor.exe	96
PID 3432 wrote to memory of 2956	3432	omsecor.exe	96
PID 3432 wrote to memory of 2956	3432	omsecor.exe	96
PID 3432 wrote to memory of 2956	3432	omsecor.exe	96
PID 2956 wrote to memory of 2984	2956	omsecor.exe	98
PID 2956 wrote to memory of 2984	2956	omsecor.exe	98
PID 2956 wrote to memory of 2984	2956	omsecor.exe	98
PID 2984 wrote to memory of 5072	2984	omsecor.exe	100
PID 2984 wrote to memory of 5072	2984	omsecor.exe	100
PID 2984 wrote to memory of 5072	2984	omsecor.exe	100
PID 2984 wrote to memory of 5072	2984	omsecor.exe	100
PID 2984 wrote to memory of 5072	2984	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
"C:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
  C:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4984
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 256
        8⤵
        Program crash
        
        PID:1420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 292
        6⤵
        Program crash
        
        PID:4348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 300
      4⤵
      Program crash
      PID:1920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 288
  2⤵
  - Program crash
  PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4564 -ip 4564
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4088 -ip 4088
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3432 -ip 3432
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2984 -ip 2984
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
aa3a6149be14dd1538e4c1f9cb09bc0a

SHA1
dd2a0b8aa3ad872d25806603b714d42d6d25d5d9

SHA256
dafd4f8e1b6265d4bde33eabcea6038b5a8fe8dcdc886b670d4afa5d862ce2c1

SHA512
908cadf31d65b30d31c8de6f964a560b487e662c1456cec019cc690260544752c660733a0fa0df74dbc1e7bf777875a4eebd6338654ca5338606e5586ff7aba4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
88ae9d0702a8a9df63390a9f61619b81

SHA1
f1d25aefeec7071b0b9a8fcb335f431e08b152d4

SHA256
cc0aa4a46f27081de7b809f8027abca8616f073fe0a65214c82a3649ebdb6886

SHA512
fc3e9150ec373405a18b448047ac86f3a72db98d7fa0d963839eee69af3d9a7fa4547d12f743d489fa0c165b9f7a9b2470d5d937511b40dd9984baf94652ec99

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9854a173f87b5c38d29fc38930e52290

SHA1
3062b4566a3574b45b26714c0614afbe847e2636

SHA256
2f8c76c39170275b81f7f02390e7feafb354612f8e79db4ef42953b432a2c5b3

SHA512
26464f89c7e93c016b0266e459209449ed6e6b1da53932b0d16642fa81da6323904f3950d0a49fb49e793414099823b00ea8ebf07a3a7ded861793dfa57a1443

Download Submit
memory/2956-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2956-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2956-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2984-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3432-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3432-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4088-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4088-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4564-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4564-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4868-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4868-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4868-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4868-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4984-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4984-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4984-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4984-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4984-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4984-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4984-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5072-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5072-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5072-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5072-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download