neconyd | 33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe
Size

96KB
MD5

9c5a9ad759d63824e7e07c1a820259cf
SHA1

b666d9a995fca47c54d9cc9f8b329f3ae4dffa29
SHA256

33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b
SHA512

128eff79593bcb8b1dda902146c19e4db046274b78b427b15dc1048765d400e205e1c9b79d7189fe8b5ae0d2c4e7c25e5b0c7d34f5aeec9fcee21e905a2327da
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:OGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2568	omsecor.exe
4684	omsecor.exe
1160	omsecor.exe
4528	omsecor.exe
4848	omsecor.exe
2916	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4300 set thread context of 4672	4300	33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe	83
PID 2568 set thread context of 4684	2568	omsecor.exe	88
PID 1160 set thread context of 4528	1160	omsecor.exe	108
PID 4848 set thread context of 2916	4848	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2376	4300	WerFault.exe	82
5076	2568	WerFault.exe	85
2572	1160	WerFault.exe	107
2568	4848	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 4672	4300	33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe	83
PID 4300 wrote to memory of 4672	4300	33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe	83
PID 4300 wrote to memory of 4672	4300	33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe	83
PID 4300 wrote to memory of 4672	4300	33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe	83
PID 4300 wrote to memory of 4672	4300	33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe	83
PID 4672 wrote to memory of 2568	4672	33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe	85
PID 4672 wrote to memory of 2568	4672	33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe	85
PID 4672 wrote to memory of 2568	4672	33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe	85
PID 2568 wrote to memory of 4684	2568	omsecor.exe	88
PID 2568 wrote to memory of 4684	2568	omsecor.exe	88
PID 2568 wrote to memory of 4684	2568	omsecor.exe	88
PID 2568 wrote to memory of 4684	2568	omsecor.exe	88
PID 2568 wrote to memory of 4684	2568	omsecor.exe	88
PID 4684 wrote to memory of 1160	4684	omsecor.exe	107
PID 4684 wrote to memory of 1160	4684	omsecor.exe	107
PID 4684 wrote to memory of 1160	4684	omsecor.exe	107
PID 1160 wrote to memory of 4528	1160	omsecor.exe	108
PID 1160 wrote to memory of 4528	1160	omsecor.exe	108
PID 1160 wrote to memory of 4528	1160	omsecor.exe	108
PID 1160 wrote to memory of 4528	1160	omsecor.exe	108
PID 1160 wrote to memory of 4528	1160	omsecor.exe	108
PID 4528 wrote to memory of 4848	4528	omsecor.exe	110
PID 4528 wrote to memory of 4848	4528	omsecor.exe	110
PID 4528 wrote to memory of 4848	4528	omsecor.exe	110
PID 4848 wrote to memory of 2916	4848	omsecor.exe	112
PID 4848 wrote to memory of 2916	4848	omsecor.exe	112
PID 4848 wrote to memory of 2916	4848	omsecor.exe	112
PID 4848 wrote to memory of 2916	4848	omsecor.exe	112
PID 4848 wrote to memory of 2916	4848	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe
"C:\Users\Admin\AppData\Local\Temp\33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe
  C:\Users\Admin\AppData\Local\Temp\33a402fc0cf6afdaeb3bd4491a6a8a9a58731a2d48de68af96b58eee1a034f0b.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4684
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 256
        8⤵
        Program crash
        
        PID:2568
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 292
        6⤵
        Program crash
        
        PID:2572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 300
      4⤵
      Program crash
      PID:5076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 288
  2⤵
  - Program crash
  PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4300 -ip 4300
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2568 -ip 2568
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1160 -ip 1160
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4848 -ip 4848
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
44871f499b718565fddd1b7c5fcc5e48

SHA1
c4398d82eb9e711d7a180837357765c77a787cc8

SHA256
d2a6723456354db1f95a5cbae4c0fb200a2f6dc5b841de2841c5d5d4fd4b45f0

SHA512
f58f8443821eca56c9001d3e0c1b881532e70a28091862f6cff80130094d4dfd22244e0884679594e5637a2e1a3649fda5da6a0e96328beaeccfa3dff4890de4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a4dc09214b2c271e5c26947dbf095c1a

SHA1
305d5ef53ec693db337e18f1f9e8a8c633aec6b7

SHA256
0a49ba2f718f792983dc191df7d375ac8cd02e9a9afa94d1e9d3a058ff07aa2d

SHA512
4421a5621b57be7d173e98eee914293b45dcb8653ab6c78d7f5677d0104ce69f63afe74688252db915a81ec22aa830913637857d983ba6f4a0cfa58a0788de55

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
211667885d9f37dc6e04f803cdf59e43

SHA1
71b8ac96efb6afc05159bcd8dd5efc5120678079

SHA256
7ebf511d70c799aae79fd1e8d3c7d263c519554b08a41dadd1b85b3dd5c011e8

SHA512
838a327eaa6a99d6a93ed39d8c71a318d490bdc10437170a961a0e5f5718d760e9f6f8d7a8fce84b31fa78801d11e8ac34a01b7d08b53d68db6cb9dbb6aa7968

Download Submit
memory/1160-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1160-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2568-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2568-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2916-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2916-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2916-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4300-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4300-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4528-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4528-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4528-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4684-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4684-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4684-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4684-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4684-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4684-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4684-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4848-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4848-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download