neconyd | f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe
Size

96KB
MD5

0499bbe9425e490f9b4aee29884c0fc0
SHA1

3e8a1933871c4daca8a23fa840fb77a8da5b53ca
SHA256

f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25
SHA512

1383d194b990c7e0b4ed6452361731e9d412e2c809805a2ffae9c53b71ce72b9cf322e0cffebeff34e06bcf3d50bb7384d6e516c11fe13d8ed389791d9003c13
SSDEEP

1536:LnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:LGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1652	omsecor.exe
2984	omsecor.exe
3448	omsecor.exe
1260	omsecor.exe
4260	omsecor.exe
4840	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4216 set thread context of 1956	4216	f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe	82
PID 1652 set thread context of 2984	1652	omsecor.exe	87
PID 3448 set thread context of 1260	3448	omsecor.exe	99
PID 4260 set thread context of 4840	4260	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1908	4216	WerFault.exe	81
2248	1652	WerFault.exe	85
1148	3448	WerFault.exe	98
536	4260	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 1956	4216	f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe	82
PID 4216 wrote to memory of 1956	4216	f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe	82
PID 4216 wrote to memory of 1956	4216	f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe	82
PID 4216 wrote to memory of 1956	4216	f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe	82
PID 4216 wrote to memory of 1956	4216	f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe	82
PID 1956 wrote to memory of 1652	1956	f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe	85
PID 1956 wrote to memory of 1652	1956	f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe	85
PID 1956 wrote to memory of 1652	1956	f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe	85
PID 1652 wrote to memory of 2984	1652	omsecor.exe	87
PID 1652 wrote to memory of 2984	1652	omsecor.exe	87
PID 1652 wrote to memory of 2984	1652	omsecor.exe	87
PID 1652 wrote to memory of 2984	1652	omsecor.exe	87
PID 1652 wrote to memory of 2984	1652	omsecor.exe	87
PID 2984 wrote to memory of 3448	2984	omsecor.exe	98
PID 2984 wrote to memory of 3448	2984	omsecor.exe	98
PID 2984 wrote to memory of 3448	2984	omsecor.exe	98
PID 3448 wrote to memory of 1260	3448	omsecor.exe	99
PID 3448 wrote to memory of 1260	3448	omsecor.exe	99
PID 3448 wrote to memory of 1260	3448	omsecor.exe	99
PID 3448 wrote to memory of 1260	3448	omsecor.exe	99
PID 3448 wrote to memory of 1260	3448	omsecor.exe	99
PID 1260 wrote to memory of 4260	1260	omsecor.exe	101
PID 1260 wrote to memory of 4260	1260	omsecor.exe	101
PID 1260 wrote to memory of 4260	1260	omsecor.exe	101
PID 4260 wrote to memory of 4840	4260	omsecor.exe	103
PID 4260 wrote to memory of 4840	4260	omsecor.exe	103
PID 4260 wrote to memory of 4840	4260	omsecor.exe	103
PID 4260 wrote to memory of 4840	4260	omsecor.exe	103
PID 4260 wrote to memory of 4840	4260	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe
"C:\Users\Admin\AppData\Local\Temp\f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe
  C:\Users\Admin\AppData\Local\Temp\f1c59ffd2332779dd6b34986893a03a55d1db62dddb7d0e0ec00e3237b843b25N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 256
        8⤵
        Program crash
        
        PID:536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 292
        6⤵
        Program crash
        
        PID:1148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 300
      4⤵
      Program crash
      PID:2248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 288
  2⤵
  - Program crash
  PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4216 -ip 4216
1⤵
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1652 -ip 1652
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3448 -ip 3448
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4260 -ip 4260
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
688f9b72883587f12cf48496d2b20905

SHA1
6e165f79e9239abbb35855bcd841be880512ca56

SHA256
eff97deefd464484da3ab26931e689cbfbb59e47d7d70e15488f54c826babe46

SHA512
6fbb33e0707fc63250e48ed2322b3c6d48710ee7c35db9bc9728b879cf25bce25127fbf6a3e4cb020c0a5367e0ba9f1ad45c8f0031027d95ab009f858a043c0e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7952f500bf172e958c31c7a5be069646

SHA1
85d37a87273693327acee0484ad275b15ce11c3b

SHA256
c931b1ca918decb8281e3efe0ed79afc97d61948abbdf7ea4498b86e3d1be57f

SHA512
dbe5e2b5ff68830768b4c0d4bb48327c87f20a4f0c168b72c708b39463aba217c9daee3862cfcd8fe27a7c4591c5cede504bf693dcaecfb013839d3d36827aef

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
5a330c766ddf2901c16798939e8591dc

SHA1
8525037d80872bb124c467238cb9a9f6977a8271

SHA256
02cd62e28257bb9f331a66fb5b27f59057fe273522bc53e312bf907679bc616d

SHA512
7ea8d4ad7fa5d6b48db815b1e50b0a1de3419038f16d37f8fdf3e2862263fd92ab46ce4fbfba35a93d928c0a81d580a4cb82001f593d0edf9e95ac4b4c263f27

Download Submit
memory/1260-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1260-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1260-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1652-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1652-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1956-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2984-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3448-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3448-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4216-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4216-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4260-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4260-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4840-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4840-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4840-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download