neconyd | e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
Size

96KB
MD5

5926bd31f01b5ab1dff5b50fb17fd258
SHA1

a7a226bdb5002d78cfaeb3abe81a5a184276d420
SHA256

e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b
SHA512

dedaaf27db851e090759482f379262bed17a8515e90b2c241058483d5b0077ed4a278a61b90728227dbeba5e2c0a1a51104205ce9a008dca84e82e9708f06d8b
SSDEEP

1536:DnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:DGs8cd8eXlYairZYqMddH13p

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4128	omsecor.exe
4396	omsecor.exe
3960	omsecor.exe
5008	omsecor.exe
676	omsecor.exe
4496	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3124 set thread context of 3288	3124	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	82
PID 4128 set thread context of 4396	4128	omsecor.exe	86
PID 3960 set thread context of 5008	3960	omsecor.exe	100
PID 676 set thread context of 4496	676	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3744	3124	WerFault.exe	81
2372	4128	WerFault.exe	85
652	3960	WerFault.exe	99
4476	676	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 3288	3124	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	82
PID 3124 wrote to memory of 3288	3124	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	82
PID 3124 wrote to memory of 3288	3124	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	82
PID 3124 wrote to memory of 3288	3124	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	82
PID 3124 wrote to memory of 3288	3124	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	82
PID 3288 wrote to memory of 4128	3288	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	85
PID 3288 wrote to memory of 4128	3288	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	85
PID 3288 wrote to memory of 4128	3288	e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe	85
PID 4128 wrote to memory of 4396	4128	omsecor.exe	86
PID 4128 wrote to memory of 4396	4128	omsecor.exe	86
PID 4128 wrote to memory of 4396	4128	omsecor.exe	86
PID 4128 wrote to memory of 4396	4128	omsecor.exe	86
PID 4128 wrote to memory of 4396	4128	omsecor.exe	86
PID 4396 wrote to memory of 3960	4396	omsecor.exe	99
PID 4396 wrote to memory of 3960	4396	omsecor.exe	99
PID 4396 wrote to memory of 3960	4396	omsecor.exe	99
PID 3960 wrote to memory of 5008	3960	omsecor.exe	100
PID 3960 wrote to memory of 5008	3960	omsecor.exe	100
PID 3960 wrote to memory of 5008	3960	omsecor.exe	100
PID 3960 wrote to memory of 5008	3960	omsecor.exe	100
PID 3960 wrote to memory of 5008	3960	omsecor.exe	100
PID 5008 wrote to memory of 676	5008	omsecor.exe	102
PID 5008 wrote to memory of 676	5008	omsecor.exe	102
PID 5008 wrote to memory of 676	5008	omsecor.exe	102
PID 676 wrote to memory of 4496	676	omsecor.exe	104
PID 676 wrote to memory of 4496	676	omsecor.exe	104
PID 676 wrote to memory of 4496	676	omsecor.exe	104
PID 676 wrote to memory of 4496	676	omsecor.exe	104
PID 676 wrote to memory of 4496	676	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
"C:\Users\Admin\AppData\Local\Temp\e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Local\Temp\e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
  C:\Users\Admin\AppData\Local\Temp\e2519ee3a9ed407b11c28a935143d8a6e32ccfcc84fcfd852ed1f1d159922b4b.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3960
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 256
        8⤵
        Program crash
        
        PID:4476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 300
        6⤵
        Program crash
        
        PID:652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 292
      4⤵
      Program crash
      PID:2372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 288
  2⤵
  - Program crash
  PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3124 -ip 3124
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4128 -ip 4128
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3960 -ip 3960
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 676 -ip 676
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
98d5c49ae9e0f03454eb2abd2ac955d4

SHA1
fea84bbf61a3a965a98504ba398948c4509cb9e1

SHA256
a1cf1477cc52c4830803dd97d3d9c82e77c818e773fa9a3ff9d00e21884e963a

SHA512
4dd955e9c8ce49677872dae34b1becd5f339511e4ba740bbd88657409121636945eab4a056e920ee5fb46aeaefa8dcdad433b3767f2a4597de09ee02ee949bfc

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8ac1f6e8b0d90e2ebbb56b8c998ba03b

SHA1
8c7aeb37fb3c6a1434c90589adbd7da342d6b92b

SHA256
59c051aa2cbf1103008dcdbcc24ddeb5bc1b4a4e1954f6120d7ad03ef8f25254

SHA512
5f48162ddf776200e3f815c83416a044851a9a134eaebca7b900a50134326774c492d58d7c14c617bffff3049b9351d54082672a60f445ea3b7fae65a2029b1a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
6e8d7b7fcf87ac2b54576a6d56b501f9

SHA1
be740b1edd1267f8bef4f2acc12c3c6829fe5f9f

SHA256
ff6777e48634205368884c46fe260e13376f7ea13a7e8699699d3dfbe99c5ae4

SHA512
36df15aef4c7955ec20efcd1bc5311c187aa07b4c7bd18693f522b4645765ac946e3f578ca974e72c2c388206a8e50898a66b03eaa260428909372179d93ae66

Download Submit
memory/676-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3124-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3124-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3288-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3288-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3288-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3288-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3960-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3960-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4128-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4128-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4396-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5008-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5008-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5008-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download