neconyd | c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
Size

96KB
MD5

db7b422f5b010b0473a544c5014ebfe0
SHA1

d0c3a080ce186aff0c6ca776c3b99d62b53d36ed
SHA256

c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3
SHA512

e319b6c244157ca4438b4bfb4e5e7de807aa56d5c82c241ac89a930144f47f369d39f8e25c7dcfce8eec78fbdf8838f874390a80f685cad0345f345d418d8f14
SSDEEP

1536:jnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxJ:jGs8cd8eXlYairZYqMddH13J

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4776	omsecor.exe
1340	omsecor.exe
3368	omsecor.exe
5048	omsecor.exe
4384	omsecor.exe
4576	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 2332	1260	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	82
PID 4776 set thread context of 1340	4776	omsecor.exe	86
PID 3368 set thread context of 5048	3368	omsecor.exe	100
PID 4384 set thread context of 4576	4384	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3936	1260	WerFault.exe	81
3956	4776	WerFault.exe	84
5104	3368	WerFault.exe	99
2404	4384	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2332	1260	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	82
PID 1260 wrote to memory of 2332	1260	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	82
PID 1260 wrote to memory of 2332	1260	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	82
PID 1260 wrote to memory of 2332	1260	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	82
PID 1260 wrote to memory of 2332	1260	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	82
PID 2332 wrote to memory of 4776	2332	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	84
PID 2332 wrote to memory of 4776	2332	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	84
PID 2332 wrote to memory of 4776	2332	c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe	84
PID 4776 wrote to memory of 1340	4776	omsecor.exe	86
PID 4776 wrote to memory of 1340	4776	omsecor.exe	86
PID 4776 wrote to memory of 1340	4776	omsecor.exe	86
PID 4776 wrote to memory of 1340	4776	omsecor.exe	86
PID 4776 wrote to memory of 1340	4776	omsecor.exe	86
PID 1340 wrote to memory of 3368	1340	omsecor.exe	99
PID 1340 wrote to memory of 3368	1340	omsecor.exe	99
PID 1340 wrote to memory of 3368	1340	omsecor.exe	99
PID 3368 wrote to memory of 5048	3368	omsecor.exe	100
PID 3368 wrote to memory of 5048	3368	omsecor.exe	100
PID 3368 wrote to memory of 5048	3368	omsecor.exe	100
PID 3368 wrote to memory of 5048	3368	omsecor.exe	100
PID 3368 wrote to memory of 5048	3368	omsecor.exe	100
PID 5048 wrote to memory of 4384	5048	omsecor.exe	102
PID 5048 wrote to memory of 4384	5048	omsecor.exe	102
PID 5048 wrote to memory of 4384	5048	omsecor.exe	102
PID 4384 wrote to memory of 4576	4384	omsecor.exe	104
PID 4384 wrote to memory of 4576	4384	omsecor.exe	104
PID 4384 wrote to memory of 4576	4384	omsecor.exe	104
PID 4384 wrote to memory of 4576	4384	omsecor.exe	104
PID 4384 wrote to memory of 4576	4384	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
"C:\Users\Admin\AppData\Local\Temp\c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
  C:\Users\Admin\AppData\Local\Temp\c0aa6995b5ec91e77fbce0187da9a417c574e160c15bbc6e5c64e7961fd42fb3N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3368
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 268
        8⤵
        Program crash
        
        PID:2404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 296
        6⤵
        Program crash
        
        PID:5104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 288
      4⤵
      Program crash
      PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 288
  2⤵
  - Program crash
  PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1260 -ip 1260
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4776 -ip 4776
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3368 -ip 3368
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4384 -ip 4384
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
71d62fb32e44d3e2fe399fdf8a8be5d0

SHA1
c97bbd098dc850719be16571d4d9d7dcc1c6a886

SHA256
7146703b9e84a5eeca498f5dad3837aed1080021949d677ed130652eb3fc10e2

SHA512
53b75fe16e3b3b98325e7cec8e4a8097d6032f095f20067a9e46fd904809f71df1a327d5c16803cf9d82358773ef44e727f1de7994d8ee8182c149cce8e15c28

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
2aed31ff0df4d34a3e71918f2a13be03

SHA1
b18fa3a7d34d72cbc665073ab895c7cd38310d2d

SHA256
81faaf01155fee7b19fcb3cce84f852c9d1b72d5e38186864cef2ef8274a6885

SHA512
887892458bb6296cf614b25803e6642637f59cc308483e2038f902dce5ddadb025d22d2d0a30191a3baedfc33ff47ec33d30fbd8bfc026199e06684e5b3e1503

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
235b4984233a80f0057b8b5c662488df

SHA1
a1de6c3c96a40086521f3edce61a9b9e3e88f818

SHA256
8097cae650d389db4faebfa94217cc03a76de8acf7ccfbe8f0ff2dbd248da947

SHA512
497a5ddbf080910218bff13e42c7fcede5135342418dd9dc30de1c744e0eaf06331aaac43d7f6340431bcc495b423513efb2cedbf5b3f01ce9607dbe43308634

Download Submit
memory/1260-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1260-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1340-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1340-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1340-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1340-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1340-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1340-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1340-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3368-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3368-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4384-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4384-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4576-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4776-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4776-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5048-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download