neconyd | 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
Size

96KB
MD5

95a659337ba9854552afc655c14415c0
SHA1

d1698c372887ff93d1bdb37cdb9437b86559e961
SHA256

61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0
SHA512

ef08e6157d7e84571f7accafa96b64fc8e144b72bac4a4c968be875a555470ff74347510b723bf9279b3b7f2867189f3ddddccd5ec500f34ebbe086fe5b9f999
SSDEEP

1536:fnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:fGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3880	omsecor.exe
3104	omsecor.exe
920	omsecor.exe
4744	omsecor.exe
2400	omsecor.exe
5020	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1256 set thread context of 3384	1256	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	83
PID 3880 set thread context of 3104	3880	omsecor.exe	88
PID 920 set thread context of 4744	920	omsecor.exe	108
PID 2400 set thread context of 5020	2400	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
632	1256	WerFault.exe	82
2976	3880	WerFault.exe	85
1176	920	WerFault.exe	107
4840	2400	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 3384	1256	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	83
PID 1256 wrote to memory of 3384	1256	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	83
PID 1256 wrote to memory of 3384	1256	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	83
PID 1256 wrote to memory of 3384	1256	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	83
PID 1256 wrote to memory of 3384	1256	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	83
PID 3384 wrote to memory of 3880	3384	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	85
PID 3384 wrote to memory of 3880	3384	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	85
PID 3384 wrote to memory of 3880	3384	61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe	85
PID 3880 wrote to memory of 3104	3880	omsecor.exe	88
PID 3880 wrote to memory of 3104	3880	omsecor.exe	88
PID 3880 wrote to memory of 3104	3880	omsecor.exe	88
PID 3880 wrote to memory of 3104	3880	omsecor.exe	88
PID 3880 wrote to memory of 3104	3880	omsecor.exe	88
PID 3104 wrote to memory of 920	3104	omsecor.exe	107
PID 3104 wrote to memory of 920	3104	omsecor.exe	107
PID 3104 wrote to memory of 920	3104	omsecor.exe	107
PID 920 wrote to memory of 4744	920	omsecor.exe	108
PID 920 wrote to memory of 4744	920	omsecor.exe	108
PID 920 wrote to memory of 4744	920	omsecor.exe	108
PID 920 wrote to memory of 4744	920	omsecor.exe	108
PID 920 wrote to memory of 4744	920	omsecor.exe	108
PID 4744 wrote to memory of 2400	4744	omsecor.exe	110
PID 4744 wrote to memory of 2400	4744	omsecor.exe	110
PID 4744 wrote to memory of 2400	4744	omsecor.exe	110
PID 2400 wrote to memory of 5020	2400	omsecor.exe	112
PID 2400 wrote to memory of 5020	2400	omsecor.exe	112
PID 2400 wrote to memory of 5020	2400	omsecor.exe	112
PID 2400 wrote to memory of 5020	2400	omsecor.exe	112
PID 2400 wrote to memory of 5020	2400	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
"C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
  C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:920
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 268
        8⤵
        Program crash
        
        PID:4840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 292
        6⤵
        Program crash
        
        PID:1176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 272
      4⤵
      Program crash
      PID:2976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 288
  2⤵
  - Program crash
  PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1256 -ip 1256
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3880 -ip 3880
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 920 -ip 920
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2400 -ip 2400
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
31d204b97bdc90cf96b60f5f2ce8371e

SHA1
33bc6bfaffbf08121512aa91faa87d4f5c9f460c

SHA256
3ea243e4fc5caabc09c92de2513f3cf8df19cb08d88a96f7a7efb859b85ae52e

SHA512
05f5089aeb2b90231ceaea642535dd1d9dd48bb818499fccc9efdb6ba6c0857e83362419d2e5ff1d0a7c20905ec5b6c109c3c923c9f6aa895f66efc1fdf0a36a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c8d08fd0969ae3efa590c45cd4fa1284

SHA1
a4df5ff9c1525d224fc8c958872df8edabb56c69

SHA256
aa7fe942285d6c9c7c5b89abea90a6be7504835a6024272729117ed63e919421

SHA512
08589c178eade936993f6ecd047b189a24164544c111446aef73e1d2b3113d4590058b28b992da875929d6cb7eb00162f6970ac964d6f9a5c8b8213e0d378888

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c8019ad1b2adf76b0e10b81c3e5d01ac

SHA1
0c8c9ace4af330d0132bf7a785e3c057c990fa2b

SHA256
7a3c322c2054e1ffeaafc6e6bea9fa46e58beef1960fec2bb36eb903b3e50243

SHA512
b05626d691b6899ba03d8b4351fd4f8c7436d6c722a3dad6c1d87a7a8d8e903960ae4bcef8a7645d732c9d92a193f31bc22365f7e6fdd4e03f2d509cc73bff50

Download Submit
memory/920-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/920-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1256-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1256-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2400-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2400-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3104-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3104-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3104-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3104-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3104-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3104-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3104-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3384-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3384-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3384-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3384-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3880-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3880-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4744-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4744-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4744-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5020-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5020-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5020-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download