neconyd | 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Size

96KB
MD5

f52b87b3a347a98aaa214c53bbf3e320
SHA1

88f7e62d9b4acbb8b1a34c6c91929f4565797b4e
SHA256

123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0
SHA512

75b896379303f12c88f3b7097356df19662898761803d1cac699491a357f3bf3bdcc2487e187335983ef6c464f5eeb8e0aec47d4c866ae04246ccde05731bcf1
SSDEEP

1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:4Gs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
772	omsecor.exe
720	omsecor.exe
1196	omsecor.exe
4212	omsecor.exe
4848	omsecor.exe
3400	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 3976	4736	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 772 set thread context of 720	772	omsecor.exe	87
PID 1196 set thread context of 4212	1196	omsecor.exe	109
PID 4848 set thread context of 3400	4848	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1324	772	WerFault.exe	85
1664	4736	WerFault.exe	82
3812	1196	WerFault.exe	108
812	4848	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3976	4736	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 4736 wrote to memory of 3976	4736	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 4736 wrote to memory of 3976	4736	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 4736 wrote to memory of 3976	4736	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 4736 wrote to memory of 3976	4736	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 3976 wrote to memory of 772	3976	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	85
PID 3976 wrote to memory of 772	3976	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	85
PID 3976 wrote to memory of 772	3976	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	85
PID 772 wrote to memory of 720	772	omsecor.exe	87
PID 772 wrote to memory of 720	772	omsecor.exe	87
PID 772 wrote to memory of 720	772	omsecor.exe	87
PID 772 wrote to memory of 720	772	omsecor.exe	87
PID 772 wrote to memory of 720	772	omsecor.exe	87
PID 720 wrote to memory of 1196	720	omsecor.exe	108
PID 720 wrote to memory of 1196	720	omsecor.exe	108
PID 720 wrote to memory of 1196	720	omsecor.exe	108
PID 1196 wrote to memory of 4212	1196	omsecor.exe	109
PID 1196 wrote to memory of 4212	1196	omsecor.exe	109
PID 1196 wrote to memory of 4212	1196	omsecor.exe	109
PID 1196 wrote to memory of 4212	1196	omsecor.exe	109
PID 1196 wrote to memory of 4212	1196	omsecor.exe	109
PID 4212 wrote to memory of 4848	4212	omsecor.exe	111
PID 4212 wrote to memory of 4848	4212	omsecor.exe	111
PID 4212 wrote to memory of 4848	4212	omsecor.exe	111
PID 4848 wrote to memory of 3400	4848	omsecor.exe	113
PID 4848 wrote to memory of 3400	4848	omsecor.exe	113
PID 4848 wrote to memory of 3400	4848	omsecor.exe	113
PID 4848 wrote to memory of 3400	4848	omsecor.exe	113
PID 4848 wrote to memory of 3400	4848	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
"C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
  C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 256
        8⤵
        Program crash
        
        PID:812
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 292
        6⤵
        Program crash
        
        PID:3812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 300
      4⤵
      Program crash
      PID:1324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 288
  2⤵
  - Program crash
  PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4736 -ip 4736
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 772 -ip 772
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1196 -ip 1196
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4848 -ip 4848
1⤵
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a509278b7c05ecae6a7d94754e7ede43

SHA1
d1a79c7b4155e10608ceb9d217d9153f200470a4

SHA256
e1c2fe998473a92fad4c04c6bdcf4c1347b63df9247be1fb7456c2d947517fe5

SHA512
0fa63d7ee46a06621c4f82c9e8255fed4bf7b76154a2f40bb7fd3234a13ad22f90552d9cfc2faa5da753e816162aef990e4014dd36c4a0ea4957c2ffffe1c2d5

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3ed580a195e52b712ad98701276f22d8

SHA1
fdba91bb0cdfcd6f2f65fb551baa744d98b634c6

SHA256
8e4775af7a2110c3eb14285f90948e6933d1d9625c8391b76df32faea4436682

SHA512
acc842831c96d1ccc40691b02154a7575c5ffbcf95bcb0970cbc8e9367b8de7798ec19d9a8564c344de7566bd8a548022c3c1d787be0915a5498023ac7b7c8ae

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
1df852f4243ea74cc0461e3883f4c91f

SHA1
591bc74e7e6c8b233da8b32f13de301d18392b66

SHA256
90006a998fb82fe8475ac93ad3083caac172e58f95e81f15bd34ff4370e55321

SHA512
126ad07ed7db93ba7bed41cc22c5c676f8b64828d9602b1c863182bf928d5c660f2f492148306cf15d8d6bdbe4637008429476d10d9285135cee25bd9b574ed6

Download Submit
memory/720-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/720-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/720-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/720-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/720-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/720-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/720-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/772-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1196-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1196-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3400-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3976-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3976-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3976-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3976-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4212-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4212-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4212-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4736-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4736-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4848-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download