neconyd | 16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe
Size

96KB
MD5

9bc358419f7b5bb5a953c325eb5e452a
SHA1

0f28a48d670a8e1dd5dd9594a8a575e0ec72b66a
SHA256

16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73
SHA512

9ed8245bcb888d61605e9bc38ab450533101c56fd911f62aaad79e969d1061ade9f6fa276e4710943dd24f22b08bb391c5cce8ede55ae3f4aecb18415b98f64a
SSDEEP

1536:CnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:CGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3100	omsecor.exe
1160	omsecor.exe
2288	omsecor.exe
3056	omsecor.exe
5072	omsecor.exe
3916	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4232 set thread context of 1052	4232	16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe	83
PID 3100 set thread context of 1160	3100	omsecor.exe	88
PID 2288 set thread context of 3056	2288	omsecor.exe	110
PID 5072 set thread context of 3916	5072	omsecor.exe	114

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1556	4232	WerFault.exe	82
608	3100	WerFault.exe	86
3100	2288	WerFault.exe	109
1788	5072	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 1052	4232	16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe	83
PID 4232 wrote to memory of 1052	4232	16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe	83
PID 4232 wrote to memory of 1052	4232	16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe	83
PID 4232 wrote to memory of 1052	4232	16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe	83
PID 4232 wrote to memory of 1052	4232	16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe	83
PID 1052 wrote to memory of 3100	1052	16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe	86
PID 1052 wrote to memory of 3100	1052	16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe	86
PID 1052 wrote to memory of 3100	1052	16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe	86
PID 3100 wrote to memory of 1160	3100	omsecor.exe	88
PID 3100 wrote to memory of 1160	3100	omsecor.exe	88
PID 3100 wrote to memory of 1160	3100	omsecor.exe	88
PID 3100 wrote to memory of 1160	3100	omsecor.exe	88
PID 3100 wrote to memory of 1160	3100	omsecor.exe	88
PID 1160 wrote to memory of 2288	1160	omsecor.exe	109
PID 1160 wrote to memory of 2288	1160	omsecor.exe	109
PID 1160 wrote to memory of 2288	1160	omsecor.exe	109
PID 2288 wrote to memory of 3056	2288	omsecor.exe	110
PID 2288 wrote to memory of 3056	2288	omsecor.exe	110
PID 2288 wrote to memory of 3056	2288	omsecor.exe	110
PID 2288 wrote to memory of 3056	2288	omsecor.exe	110
PID 2288 wrote to memory of 3056	2288	omsecor.exe	110
PID 3056 wrote to memory of 5072	3056	omsecor.exe	112
PID 3056 wrote to memory of 5072	3056	omsecor.exe	112
PID 3056 wrote to memory of 5072	3056	omsecor.exe	112
PID 5072 wrote to memory of 3916	5072	omsecor.exe	114
PID 5072 wrote to memory of 3916	5072	omsecor.exe	114
PID 5072 wrote to memory of 3916	5072	omsecor.exe	114
PID 5072 wrote to memory of 3916	5072	omsecor.exe	114
PID 5072 wrote to memory of 3916	5072	omsecor.exe	114

C:\Users\Admin\AppData\Local\Temp\16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe
"C:\Users\Admin\AppData\Local\Temp\16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe
  C:\Users\Admin\AppData\Local\Temp\16d34620936301f3100dd99654031866364b4f10debc78694aaa477e01103a73.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 256
        8⤵
        Program crash
        
        PID:1788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 296
        6⤵
        Program crash
        
        PID:3100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 292
      4⤵
      Program crash
      PID:608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 288
  2⤵
  - Program crash
  PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4232 -ip 4232
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3100 -ip 3100
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2288 -ip 2288
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5072 -ip 5072
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
482a0e11303602ac4b45a19c17a082f9

SHA1
fdd89aea26b083a2507fa6853cdab3fa21558afe

SHA256
b101c15ec0ee62eee8173a7510aac061f699e9771751f7c89ce89f95b6edcc5a

SHA512
d4ded8279ed8007c09354e0132357a26f58879fda8cda2515102c0a0fd8d5d8707f5d2bc69194c5c259ce8f4efb13a0e7343a005eac854929efce21a539d6159

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a4835e827298b89259b27574d536c498

SHA1
a980add8cec0e5e9980c84da406ede5cbb050344

SHA256
199c47b3319ef981eb8531fd3122a49eec52bc6940952ad4193f1398480884be

SHA512
9994ce01acdb379a0011ed2561f23f8027a53f61e03793cd5f1d6fe7f4ffe1f8b5a0899a0cd0c0bbbc54109c00a58419b4c0ed9101f49a027f7ed953b8e26e4d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
992a19ac57f4f0969979b852a34e2c81

SHA1
1cdcb916d4636c0c274afbbf295e34f29dd1dd5f

SHA256
744497d997b284221953d78132f9792f0842e4303a8dd46ddcf4a6300a4e9242

SHA512
002c3bc0c1fdc72e6bb6a0beab09cce2a94b6fa1b18b57320f30209dac742a04c58df683a887b6098d1c852043e4cff523105a89be08fe038513c66199860bb4

Download Submit
memory/1052-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1052-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1052-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1052-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2288-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2288-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3056-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3100-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3100-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3916-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3916-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3916-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3916-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4232-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4232-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5072-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download