neconyd | 71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe
Size

96KB
MD5

62bb14a05c1ce9ce8dec97f5a134ad30
SHA1

1d5ac62685976da5a272a1aee97b47b56b7fef1e
SHA256

71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780
SHA512

a538e6ac4da02ea15dba077411a6f7a0a047d992453518eac50e4f7d06c191fe31270adafc66cb9ec01cce35a9989b1b6fbf8e207ec41956ddb191386ed2cff1
SSDEEP

1536:DnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:DGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4536	omsecor.exe
4032	omsecor.exe
4760	omsecor.exe
4592	omsecor.exe
3808	omsecor.exe
3456	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2780 set thread context of 3068	2780	71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe	83
PID 4536 set thread context of 4032	4536	omsecor.exe	87
PID 4760 set thread context of 4592	4760	omsecor.exe	108
PID 3808 set thread context of 3456	3808	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4268	2780	WerFault.exe	82
2696	4536	WerFault.exe	86
748	4760	WerFault.exe	107
2472	3808	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3068	2780	71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe	83
PID 2780 wrote to memory of 3068	2780	71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe	83
PID 2780 wrote to memory of 3068	2780	71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe	83
PID 2780 wrote to memory of 3068	2780	71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe	83
PID 2780 wrote to memory of 3068	2780	71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe	83
PID 3068 wrote to memory of 4536	3068	71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe	86
PID 3068 wrote to memory of 4536	3068	71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe	86
PID 3068 wrote to memory of 4536	3068	71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe	86
PID 4536 wrote to memory of 4032	4536	omsecor.exe	87
PID 4536 wrote to memory of 4032	4536	omsecor.exe	87
PID 4536 wrote to memory of 4032	4536	omsecor.exe	87
PID 4536 wrote to memory of 4032	4536	omsecor.exe	87
PID 4536 wrote to memory of 4032	4536	omsecor.exe	87
PID 4032 wrote to memory of 4760	4032	omsecor.exe	107
PID 4032 wrote to memory of 4760	4032	omsecor.exe	107
PID 4032 wrote to memory of 4760	4032	omsecor.exe	107
PID 4760 wrote to memory of 4592	4760	omsecor.exe	108
PID 4760 wrote to memory of 4592	4760	omsecor.exe	108
PID 4760 wrote to memory of 4592	4760	omsecor.exe	108
PID 4760 wrote to memory of 4592	4760	omsecor.exe	108
PID 4760 wrote to memory of 4592	4760	omsecor.exe	108
PID 4592 wrote to memory of 3808	4592	omsecor.exe	110
PID 4592 wrote to memory of 3808	4592	omsecor.exe	110
PID 4592 wrote to memory of 3808	4592	omsecor.exe	110
PID 3808 wrote to memory of 3456	3808	omsecor.exe	112
PID 3808 wrote to memory of 3456	3808	omsecor.exe	112
PID 3808 wrote to memory of 3456	3808	omsecor.exe	112
PID 3808 wrote to memory of 3456	3808	omsecor.exe	112
PID 3808 wrote to memory of 3456	3808	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe
"C:\Users\Admin\AppData\Local\Temp\71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe
  C:\Users\Admin\AppData\Local\Temp\71f041c2226479cd85399a52ad3b825cc49b0e408f7a6c25f8322aca1474f780N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4760
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 256
        8⤵
        Program crash
        
        PID:2472
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 292
        6⤵
        Program crash
        
        PID:748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 276
      4⤵
      Program crash
      PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 288
  2⤵
  - Program crash
  PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2780 -ip 2780
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4536 -ip 4536
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4760 -ip 4760
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3808 -ip 3808
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7d56c6503a420b874776af67f24900d0

SHA1
e20e76239e7cb332c870561566c797776086be6a

SHA256
b17c5a86ecb60b8952176f145dcf124568aa41bbc7334301e607059c879c347d

SHA512
7a0e3d43ed3712b4040c7b5d2572fdbfe319fba0a355565c05a8fb84ceeeeabe7e6036eede66b332118114d1fa5514b85720bb3df61eba100d4a4e569e6511ce

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0b3b42c52445e6795811414d69a3c890

SHA1
ad79a0c72d7067bc25430436aa01ea0840f37065

SHA256
00b0a4962bdef18c5088433a3ae26cbb03ccd6cb71d1ac3c69fb55d10353a17d

SHA512
3ba115c99f847103afe2fcebdfe57db314b46953049c3b48b0cb077a9fa9005ed95260c9571fca4e0506e6c9f9fafb38503908fc7941f419f92c47bc97d41442

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c4b4e98d1ac1eb616221ff9ee8365244

SHA1
596153afe4037024474e9128830ea3f604bbc673

SHA256
0d9b20a34ff3225ad261c9e51b8877f5c69ea61fc967a0766013755c9d260e39

SHA512
12fc99e864b3e7502fba5a372f089ebde59a84e32c97c3645448402a21aa93d137be34a9ba105054318b3d77416615392a6fd076d113deff6e69b61d96e83981

Download Submit
memory/2780-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2780-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3068-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3808-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3808-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4032-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4536-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4536-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4592-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4592-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4592-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4760-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4760-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download