neconyd | 2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
Size

134KB
MD5

ffd393c95099a09f7fa9e5af1071da2c
SHA1

4dce504ca96b683483bc13db23810c116142b8ea
SHA256

2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46
SHA512

5563c114746c8e4fb660f2c0f8f9f3355e19e22118df346b049c9f2387a390c2ec33defc2fcfcbbe94cb9c81045ba873df7c2196dbf4ee8dd0299f2cbec76b82
SSDEEP

1536:aDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiv:8iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4104	omsecor.exe
4704	omsecor.exe
1232	omsecor.exe
2280	omsecor.exe
1744	omsecor.exe
2736	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 372 set thread context of 3924	372	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	82
PID 4104 set thread context of 4704	4104	omsecor.exe	86
PID 1232 set thread context of 2280	1232	omsecor.exe	100
PID 1744 set thread context of 2736	1744	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2388	372	WerFault.exe	81
1072	4104	WerFault.exe	85
4248	1232	WerFault.exe	99
4788	1744	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 3924	372	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	82
PID 372 wrote to memory of 3924	372	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	82
PID 372 wrote to memory of 3924	372	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	82
PID 372 wrote to memory of 3924	372	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	82
PID 372 wrote to memory of 3924	372	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	82
PID 3924 wrote to memory of 4104	3924	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	85
PID 3924 wrote to memory of 4104	3924	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	85
PID 3924 wrote to memory of 4104	3924	2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe	85
PID 4104 wrote to memory of 4704	4104	omsecor.exe	86
PID 4104 wrote to memory of 4704	4104	omsecor.exe	86
PID 4104 wrote to memory of 4704	4104	omsecor.exe	86
PID 4104 wrote to memory of 4704	4104	omsecor.exe	86
PID 4104 wrote to memory of 4704	4104	omsecor.exe	86
PID 4704 wrote to memory of 1232	4704	omsecor.exe	99
PID 4704 wrote to memory of 1232	4704	omsecor.exe	99
PID 4704 wrote to memory of 1232	4704	omsecor.exe	99
PID 1232 wrote to memory of 2280	1232	omsecor.exe	100
PID 1232 wrote to memory of 2280	1232	omsecor.exe	100
PID 1232 wrote to memory of 2280	1232	omsecor.exe	100
PID 1232 wrote to memory of 2280	1232	omsecor.exe	100
PID 1232 wrote to memory of 2280	1232	omsecor.exe	100
PID 2280 wrote to memory of 1744	2280	omsecor.exe	102
PID 2280 wrote to memory of 1744	2280	omsecor.exe	102
PID 2280 wrote to memory of 1744	2280	omsecor.exe	102
PID 1744 wrote to memory of 2736	1744	omsecor.exe	104
PID 1744 wrote to memory of 2736	1744	omsecor.exe	104
PID 1744 wrote to memory of 2736	1744	omsecor.exe	104
PID 1744 wrote to memory of 2736	1744	omsecor.exe	104
PID 1744 wrote to memory of 2736	1744	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
"C:\Users\Admin\AppData\Local\Temp\2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Local\Temp\2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
  C:\Users\Admin\AppData\Local\Temp\2a124582ada4abe496d54c706932bf89fc9e9834113fa33d076f987dfb756a46.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 256
        8⤵
        Program crash
        
        PID:4788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 292
        6⤵
        Program crash
        
        PID:4248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 288
      4⤵
      Program crash
      PID:1072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 288
  2⤵
  - Program crash
  PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 372 -ip 372
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4104 -ip 4104
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1232 -ip 1232
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1744 -ip 1744
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d395b2d1a3ecb06d644ed974ab7c6bf4

SHA1
3510829f6732605dc38036021b1397eca83bb06c

SHA256
9f695207272239069266539f970c86e69068971a205d16bc836f926059836f14

SHA512
1c43f08caf3931731c7f00e410bbaf32eb6dfd956f1079488bc5b545c9b86fddc3d907ae749b3ab19d5ce0b2bcabffbea3dc0b0840f0d79bf2f36cfd9076127a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e39c759d06f52d4c0ed51fefebdc2342

SHA1
a99877f6d34653c4163fdc5cede9b70e61f492f1

SHA256
fa09cdfb7306cf78105dfc7eb06ae6969fe4770c5ef8e20a10cf646c2836ceb5

SHA512
74e6ba03b811ccecec58a663e5178ef6d129d5efb1300f8eff91374575f8f4a042b9bbd22e3ec2c49930b1b11597a4524ccdab3f026317760e14db666888957e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
e1bff33ad5f4cc4ec288a20e45e48285

SHA1
23d1093013eebeadb727427add793b3a2bca4ad8

SHA256
fbc43190c460c5a9a9d176025843910cacd5dacd1afa817329595b97bc02d141

SHA512
31bd31e13bfc456d45e9d2b58d784ae9dc5d686816bbc57a9c0dca81dedeb7b66b982a7109ef474f911205ad12c25a9f6c00481918330fffd3bdeb244e02b794

Download Submit
memory/372-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/372-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1232-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1232-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1744-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2280-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2280-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2280-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3924-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3924-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3924-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3924-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4104-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4104-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4704-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4704-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4704-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4704-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4704-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4704-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4704-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download