neconyd | 2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09be

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
Size

96KB
MD5

321909c591b4066fc06703effea9a2d0
SHA1

47b843e133c66949d6f6b38ba6df870d624486b9
SHA256

2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09be
SHA512

9dcbf4fb3bb4c3bfcdfda9f12e5cf89e46f80ee4d0ddd5a535138c703fdbbc24198e20175d71ee065f8ec579e54a700c1414ff143fc72fdee6ebe7ad8dcf9ad3
SSDEEP

1536:rnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:rGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4932	omsecor.exe
1332	omsecor.exe
3768	omsecor.exe
4616	omsecor.exe
3140	omsecor.exe
2148	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4076 set thread context of 2240	4076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	83
PID 4932 set thread context of 1332	4932	omsecor.exe	87
PID 3768 set thread context of 4616	3768	omsecor.exe	109
PID 3140 set thread context of 2148	3140	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4756	4076	WerFault.exe	82
1968	4932	WerFault.exe	86
1176	3768	WerFault.exe	108
384	3140	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 2240	4076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	83
PID 4076 wrote to memory of 2240	4076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	83
PID 4076 wrote to memory of 2240	4076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	83
PID 4076 wrote to memory of 2240	4076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	83
PID 4076 wrote to memory of 2240	4076	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	83
PID 2240 wrote to memory of 4932	2240	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	86
PID 2240 wrote to memory of 4932	2240	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	86
PID 2240 wrote to memory of 4932	2240	2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe	86
PID 4932 wrote to memory of 1332	4932	omsecor.exe	87
PID 4932 wrote to memory of 1332	4932	omsecor.exe	87
PID 4932 wrote to memory of 1332	4932	omsecor.exe	87
PID 4932 wrote to memory of 1332	4932	omsecor.exe	87
PID 4932 wrote to memory of 1332	4932	omsecor.exe	87
PID 1332 wrote to memory of 3768	1332	omsecor.exe	108
PID 1332 wrote to memory of 3768	1332	omsecor.exe	108
PID 1332 wrote to memory of 3768	1332	omsecor.exe	108
PID 3768 wrote to memory of 4616	3768	omsecor.exe	109
PID 3768 wrote to memory of 4616	3768	omsecor.exe	109
PID 3768 wrote to memory of 4616	3768	omsecor.exe	109
PID 3768 wrote to memory of 4616	3768	omsecor.exe	109
PID 3768 wrote to memory of 4616	3768	omsecor.exe	109
PID 4616 wrote to memory of 3140	4616	omsecor.exe	111
PID 4616 wrote to memory of 3140	4616	omsecor.exe	111
PID 4616 wrote to memory of 3140	4616	omsecor.exe	111
PID 3140 wrote to memory of 2148	3140	omsecor.exe	113
PID 3140 wrote to memory of 2148	3140	omsecor.exe	113
PID 3140 wrote to memory of 2148	3140	omsecor.exe	113
PID 3140 wrote to memory of 2148	3140	omsecor.exe	113
PID 3140 wrote to memory of 2148	3140	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
"C:\Users\Admin\AppData\Local\Temp\2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
  C:\Users\Admin\AppData\Local\Temp\2106dfc082f77329cc1f6bc49342252a7e261a496e97046519aaeab9b61d09beN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1332
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3768
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 256
        8⤵
        Program crash
        
        PID:384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 292
        6⤵
        Program crash
        
        PID:1176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 300
      4⤵
      Program crash
      PID:1968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 300
  2⤵
  - Program crash
  PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4076 -ip 4076
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4932 -ip 4932
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3768 -ip 3768
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3140 -ip 3140
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
24f1179855a33330c59210abe9e1ba76

SHA1
d29bbace42c978c896081642cc37c58c8beb81a6

SHA256
9d674cdd28d6708691eccb9691c401af0a3d74ac341df409a4d7325c86ed8ec7

SHA512
53e536026f848b74e6a4c09aa3065f38593f2cad92dfd50f3447ed5b16a0cec7ebb0172a16b2b371c78c2e306c4bc1b65e789a4a8e83c464ca24ec2f5c99bdde

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
67bf24305ef353f04f667dbefb45b787

SHA1
6a63642963b2b1cc68ec9b2b4f6f9aeeee483c90

SHA256
6ad7b59f1c112aba303f6fb172bf3681e79573043a06924679982fc3d6cf31a1

SHA512
04efef4ba7c0a60dbd12bdac07d903062b8a28bb4ede1650400af187514eca0df6ac5072cc65ba8e2955ea4aebf5b2a630229eb501fe48ab86be854ef201744c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
0f268fe1c217335450ad6268cc207e3a

SHA1
c353a34d25a0c717e866f9c5b0ace9594f154c95

SHA256
6e4ebf7e361269df66f0d9c35d2e15d2cc7b8619c41d166df1fa764e0b57cfc2

SHA512
7e7135f5ee1b6b94be07f00fb8767b70174353d88ae47d0a15671edf9b63c160333ae7f169a462ba921f06bdedf3b96ec5a863c88c8b350800ffb2ad8357dc76

Download Submit
memory/1332-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1332-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1332-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1332-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1332-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1332-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1332-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3140-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3140-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3768-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3768-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4076-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4076-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4616-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4616-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4616-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4932-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4932-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download