neconyd | b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
Size

134KB
MD5

98bc18d83207c88983f907562764918b
SHA1

ca02fb1d6c55cca9ec9353ab2a6c377109c1cd55
SHA256

b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42
SHA512

b6062b0ad9216c9a4a0763e8d5594b3f81f97da9343769c43d006e347803be595bdec05127b1e1a4a8dd162ce86c193a5bb2ba5ebefa90f616a1b38ecc0ab85e
SSDEEP

1536:HDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:jiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4392	omsecor.exe
2848	omsecor.exe
1160	omsecor.exe
4580	omsecor.exe
3992	omsecor.exe
2276	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4456 set thread context of 3056	4456	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	83
PID 4392 set thread context of 2848	4392	omsecor.exe	87
PID 1160 set thread context of 4580	1160	omsecor.exe	108
PID 3992 set thread context of 2276	3992	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2392	4456	WerFault.exe	82
1544	4392	WerFault.exe	85
5008	1160	WerFault.exe	107
3300	3992	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 3056	4456	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	83
PID 4456 wrote to memory of 3056	4456	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	83
PID 4456 wrote to memory of 3056	4456	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	83
PID 4456 wrote to memory of 3056	4456	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	83
PID 4456 wrote to memory of 3056	4456	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	83
PID 3056 wrote to memory of 4392	3056	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	85
PID 3056 wrote to memory of 4392	3056	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	85
PID 3056 wrote to memory of 4392	3056	b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe	85
PID 4392 wrote to memory of 2848	4392	omsecor.exe	87
PID 4392 wrote to memory of 2848	4392	omsecor.exe	87
PID 4392 wrote to memory of 2848	4392	omsecor.exe	87
PID 4392 wrote to memory of 2848	4392	omsecor.exe	87
PID 4392 wrote to memory of 2848	4392	omsecor.exe	87
PID 2848 wrote to memory of 1160	2848	omsecor.exe	107
PID 2848 wrote to memory of 1160	2848	omsecor.exe	107
PID 2848 wrote to memory of 1160	2848	omsecor.exe	107
PID 1160 wrote to memory of 4580	1160	omsecor.exe	108
PID 1160 wrote to memory of 4580	1160	omsecor.exe	108
PID 1160 wrote to memory of 4580	1160	omsecor.exe	108
PID 1160 wrote to memory of 4580	1160	omsecor.exe	108
PID 1160 wrote to memory of 4580	1160	omsecor.exe	108
PID 4580 wrote to memory of 3992	4580	omsecor.exe	110
PID 4580 wrote to memory of 3992	4580	omsecor.exe	110
PID 4580 wrote to memory of 3992	4580	omsecor.exe	110
PID 3992 wrote to memory of 2276	3992	omsecor.exe	112
PID 3992 wrote to memory of 2276	3992	omsecor.exe	112
PID 3992 wrote to memory of 2276	3992	omsecor.exe	112
PID 3992 wrote to memory of 2276	3992	omsecor.exe	112
PID 3992 wrote to memory of 2276	3992	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
"C:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
  C:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 264
        8⤵
        Program crash
        
        PID:3300
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 296
        6⤵
        Program crash
        
        PID:5008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 288
      4⤵
      Program crash
      PID:1544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 300
  2⤵
  - Program crash
  PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4456 -ip 4456
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4392 -ip 4392
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1160 -ip 1160
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3992 -ip 3992
1⤵
PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
20180de6e32a7cbebbb1628f087857a2

SHA1
28027e2eee081e71ddfcf46338293aec51c4664d

SHA256
b75d557e63a292b7ca4f7daeb43695afc6ca115b09351759f6a3017294be7f2e

SHA512
f8417e3752b7fef833d3122a966a3565d72afea4747fbc705ddd10e339017761613b81b40a6cab6a4e4ee6e6f663ed5ff22f53f8102af19ca6eaf06433fe96d5

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
38558e5f21c3321c91e3f8257952429b

SHA1
ed0679de9dc7567f19e87982e68165086a4bed5c

SHA256
ba72918598727e6415bbd398684717d2bdb8ecd84e46ee7896f9927785a4e86d

SHA512
56aa885c0754a2ca12c4a0c3b3997960af0b18418df59b4fb1729991a5026d2b98d727b1c07ee33df9f32fdc6a05e1785499868760333a8daf32ed4f18a9adf0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
361f6dfc2ce0af918723c1a463153a7b

SHA1
b21ea454a3bd3246af53a74b0e9e8dec1caa1b70

SHA256
df72b3a76350f661c37adce819dc91c072c7d6bebb5101bcbffb83e43925373d

SHA512
f5cb47144bb8d1e2cdd1e5908a2728a143038422d20bbb536d9a8c6266c723059a8321320f0168d902bb98f70ffb6007db865bd337f6c19fbb6bd8024bdabe0f

Download Submit
memory/1160-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1160-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2276-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2276-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2276-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2276-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3992-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4392-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4456-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4456-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4580-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4580-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4580-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download