neconyd | 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
Size

96KB
MD5

424f283b670f5184ae95851fe76a3603
SHA1

e95026178513a139cf4c9d44f37d1142bb8559ce
SHA256

0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db
SHA512

a11068534d6917d2bc4a5d985606ad9dc4b5f1c5dc506bd3bae6ee7e251c3c41e53d9b27abcc1712bbc70ef6417436cf7b2fe17cd80bce2adc4bdfb7a2262210
SSDEEP

1536:WnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:WGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2816	omsecor.exe
2848	omsecor.exe
1604	omsecor.exe
1836	omsecor.exe
428	omsecor.exe
2624	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5056 set thread context of 4628	5056	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	83
PID 2816 set thread context of 2848	2816	omsecor.exe	87
PID 1604 set thread context of 1836	1604	omsecor.exe	108
PID 428 set thread context of 2624	428	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4892	5056	WerFault.exe	82
4568	2816	WerFault.exe	86
2136	1604	WerFault.exe	107
2308	428	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4628	5056	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	83
PID 5056 wrote to memory of 4628	5056	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	83
PID 5056 wrote to memory of 4628	5056	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	83
PID 5056 wrote to memory of 4628	5056	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	83
PID 5056 wrote to memory of 4628	5056	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	83
PID 4628 wrote to memory of 2816	4628	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	86
PID 4628 wrote to memory of 2816	4628	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	86
PID 4628 wrote to memory of 2816	4628	0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe	86
PID 2816 wrote to memory of 2848	2816	omsecor.exe	87
PID 2816 wrote to memory of 2848	2816	omsecor.exe	87
PID 2816 wrote to memory of 2848	2816	omsecor.exe	87
PID 2816 wrote to memory of 2848	2816	omsecor.exe	87
PID 2816 wrote to memory of 2848	2816	omsecor.exe	87
PID 2848 wrote to memory of 1604	2848	omsecor.exe	107
PID 2848 wrote to memory of 1604	2848	omsecor.exe	107
PID 2848 wrote to memory of 1604	2848	omsecor.exe	107
PID 1604 wrote to memory of 1836	1604	omsecor.exe	108
PID 1604 wrote to memory of 1836	1604	omsecor.exe	108
PID 1604 wrote to memory of 1836	1604	omsecor.exe	108
PID 1604 wrote to memory of 1836	1604	omsecor.exe	108
PID 1604 wrote to memory of 1836	1604	omsecor.exe	108
PID 1836 wrote to memory of 428	1836	omsecor.exe	110
PID 1836 wrote to memory of 428	1836	omsecor.exe	110
PID 1836 wrote to memory of 428	1836	omsecor.exe	110
PID 428 wrote to memory of 2624	428	omsecor.exe	112
PID 428 wrote to memory of 2624	428	omsecor.exe	112
PID 428 wrote to memory of 2624	428	omsecor.exe	112
PID 428 wrote to memory of 2624	428	omsecor.exe	112
PID 428 wrote to memory of 2624	428	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
"C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
  C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 268
        8⤵
        Program crash
        
        PID:2308
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 292
        6⤵
        Program crash
        
        PID:2136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 288
      4⤵
      Program crash
      PID:4568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 300
  2⤵
  - Program crash
  PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5056 -ip 5056
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2816 -ip 2816
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1604 -ip 1604
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 428 -ip 428
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c82a8df0bc50b0b9118b443c8e41e54e

SHA1
65bd77751c494aece4650d0c248e51747721fba2

SHA256
6f802dcd68d1dd9bb32304d70c2a4f2a10867d2918dbc9355771bb438edc9ad2

SHA512
292b2047bdf12bc5eede6438c2edf843898256b32d7d9523238b5e1493504c3140bd2cd19f7c4b8c8a3c962cb25da2fdb5b4d19443fc76afec751d40a6fa9885

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
53966f9be167af83b0ba210b95aa4a6e

SHA1
c6dd9bf60a28b3112f07d83603baf83dbffad9c0

SHA256
0d70416395b922c2b4e43afc07122734f46911f80ff8886bad5890018aed205a

SHA512
b04ca4174a788a320bc6f17d06527200c357b293b2d5b064b605a8ba24f3f5a55c8b383b8def35e9454ab8dfb7d0e9a9a4124369d024553b67e7430e81fcc834

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
48a261900db1d7ba6c6e9555ad28a01a

SHA1
94e91a0db4d3fa5d95f948b13b89b7457938943f

SHA256
43baa10f8b8a798260a70c109ee8536363107f795c1e21ed30fc94f2be31ede8

SHA512
fed8705ca2c7d268dc37790d7ef5c05095821e7e82c398e545e9057c61b67cc57ea3e6d3a991e5b213b100eb824eddc0fbd41291d667ec3a684a85385e552be2

Download Submit
memory/428-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/428-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1604-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1604-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1836-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1836-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1836-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2624-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2624-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2624-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2816-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2816-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2848-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4628-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4628-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4628-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4628-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5056-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5056-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download