neconyd | 95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488c

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
Size

134KB
MD5

40e2396dc161bed1a4864ebe78e50320
SHA1

242b7e4f41850080d11d81902cbbea32cf078414
SHA256

95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488c
SHA512

71188890e9856eac2275421c6d795eb40fbc321b511ad27c5c1ae51ce5aea54963d03c315dc9fa2203b4cf41975e7a133e867a5f2e3dc796340b5b6fd00c1008
SSDEEP

1536:aDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiH:8iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1852	omsecor.exe
3480	omsecor.exe
620	omsecor.exe
3964	omsecor.exe
2088	omsecor.exe
4320	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3088 set thread context of 1680	3088	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	83
PID 1852 set thread context of 3480	1852	omsecor.exe	88
PID 620 set thread context of 3964	620	omsecor.exe	108
PID 2088 set thread context of 4320	2088	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4144	3088	WerFault.exe	82
3696	1852	WerFault.exe	86
3116	620	WerFault.exe	107
4068	2088	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 1680	3088	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	83
PID 3088 wrote to memory of 1680	3088	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	83
PID 3088 wrote to memory of 1680	3088	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	83
PID 3088 wrote to memory of 1680	3088	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	83
PID 3088 wrote to memory of 1680	3088	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	83
PID 1680 wrote to memory of 1852	1680	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	86
PID 1680 wrote to memory of 1852	1680	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	86
PID 1680 wrote to memory of 1852	1680	95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe	86
PID 1852 wrote to memory of 3480	1852	omsecor.exe	88
PID 1852 wrote to memory of 3480	1852	omsecor.exe	88
PID 1852 wrote to memory of 3480	1852	omsecor.exe	88
PID 1852 wrote to memory of 3480	1852	omsecor.exe	88
PID 1852 wrote to memory of 3480	1852	omsecor.exe	88
PID 3480 wrote to memory of 620	3480	omsecor.exe	107
PID 3480 wrote to memory of 620	3480	omsecor.exe	107
PID 3480 wrote to memory of 620	3480	omsecor.exe	107
PID 620 wrote to memory of 3964	620	omsecor.exe	108
PID 620 wrote to memory of 3964	620	omsecor.exe	108
PID 620 wrote to memory of 3964	620	omsecor.exe	108
PID 620 wrote to memory of 3964	620	omsecor.exe	108
PID 620 wrote to memory of 3964	620	omsecor.exe	108
PID 3964 wrote to memory of 2088	3964	omsecor.exe	110
PID 3964 wrote to memory of 2088	3964	omsecor.exe	110
PID 3964 wrote to memory of 2088	3964	omsecor.exe	110
PID 2088 wrote to memory of 4320	2088	omsecor.exe	112
PID 2088 wrote to memory of 4320	2088	omsecor.exe	112
PID 2088 wrote to memory of 4320	2088	omsecor.exe	112
PID 2088 wrote to memory of 4320	2088	omsecor.exe	112
PID 2088 wrote to memory of 4320	2088	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
"C:\Users\Admin\AppData\Local\Temp\95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
  C:\Users\Admin\AppData\Local\Temp\95c7ba45a94a98713c24bd664cfb4c5e4f6c3daf681530799f1372161ada488cN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:620
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 256
        8⤵
        Program crash
        
        PID:4068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 300
        6⤵
        Program crash
        
        PID:3116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 292
      4⤵
      Program crash
      PID:3696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 288
  2⤵
  - Program crash
  PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3088 -ip 3088
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1852 -ip 1852
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 620 -ip 620
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2088 -ip 2088
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9b4ed228babe75ddc6fa28e6722ed4fe

SHA1
1156039cb072d47fe38109e8916ba3e04b26cd38

SHA256
c69e950b908a7aa1850414c1408f7819464ebf8efcc89ec9e6a53d376b6196fa

SHA512
1bb34c19add3c13a6f944b4a024c3f84fb8ab7e8f5a1bfc23432fd37b2da7c8126d957e50f476c13cb1f9bdc817b123710e78b796d236bbf3991b7aa2bbfa1e1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
5733c1c862fc364b7684efcdf5455181

SHA1
8d6eb658c046d5c64aeaa00220cce480de3f572d

SHA256
0fb3367431279b3484dd5567256ded889476174e1d1e52814bc9e7c2ae3016b9

SHA512
fc9c6567836a1001c9b58229ee929a8da425cb7aec90c6f18803c5e370d0cc7daa2f10cff972916dac22612eacca27d419a2bd1f056e3ae7b5919ed36ec807e7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
9dffae443af8f064106c0d08349587a6

SHA1
a89a8b85bd7239cd403eb6963a4f33447007ea8d

SHA256
0eeb584a0d49ee5a5b75b7dd774a07f010b84cd301edeeec3d8e7edd3776e438

SHA512
4498993c0c6bd101e612b17ce61968c03cfd37b5a253ca2040e624e4a41145e4fecd41e27d4be80f55871e354970e55271266ca5b1f5072c2233a618321ef091

Download Submit
memory/620-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/620-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1680-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1680-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1680-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1680-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1852-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2088-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2088-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3088-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3088-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3480-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3480-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3480-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3480-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3480-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3480-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3480-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3964-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3964-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3964-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4320-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4320-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4320-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download