neconyd | 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
Size

96KB
MD5

814733274f353ce8fc4f848ededbe1d0
SHA1

09f8833933b33adffe648fdc6c7723e8e2a89a57
SHA256

6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89
SHA512

4e0a8812c1622b82a4805258bd1b82565599eb9070f6bf9eb172adadfec30365192349792b45184f3ec7efccb0ce02c3bb31970f103df31813e15342206ff5dc
SSDEEP

1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:EGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2928	omsecor.exe
2732	omsecor.exe
4964	omsecor.exe
3016	omsecor.exe
368	omsecor.exe
3424	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 384 set thread context of 1536	384	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	82
PID 2928 set thread context of 2732	2928	omsecor.exe	86
PID 4964 set thread context of 3016	4964	omsecor.exe	100
PID 368 set thread context of 3424	368	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1884	384	WerFault.exe	81
3780	2928	WerFault.exe	84
3604	4964	WerFault.exe	99
4408	368	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1536	384	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	82
PID 384 wrote to memory of 1536	384	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	82
PID 384 wrote to memory of 1536	384	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	82
PID 384 wrote to memory of 1536	384	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	82
PID 384 wrote to memory of 1536	384	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	82
PID 1536 wrote to memory of 2928	1536	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	84
PID 1536 wrote to memory of 2928	1536	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	84
PID 1536 wrote to memory of 2928	1536	6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe	84
PID 2928 wrote to memory of 2732	2928	omsecor.exe	86
PID 2928 wrote to memory of 2732	2928	omsecor.exe	86
PID 2928 wrote to memory of 2732	2928	omsecor.exe	86
PID 2928 wrote to memory of 2732	2928	omsecor.exe	86
PID 2928 wrote to memory of 2732	2928	omsecor.exe	86
PID 2732 wrote to memory of 4964	2732	omsecor.exe	99
PID 2732 wrote to memory of 4964	2732	omsecor.exe	99
PID 2732 wrote to memory of 4964	2732	omsecor.exe	99
PID 4964 wrote to memory of 3016	4964	omsecor.exe	100
PID 4964 wrote to memory of 3016	4964	omsecor.exe	100
PID 4964 wrote to memory of 3016	4964	omsecor.exe	100
PID 4964 wrote to memory of 3016	4964	omsecor.exe	100
PID 4964 wrote to memory of 3016	4964	omsecor.exe	100
PID 3016 wrote to memory of 368	3016	omsecor.exe	102
PID 3016 wrote to memory of 368	3016	omsecor.exe	102
PID 3016 wrote to memory of 368	3016	omsecor.exe	102
PID 368 wrote to memory of 3424	368	omsecor.exe	104
PID 368 wrote to memory of 3424	368	omsecor.exe	104
PID 368 wrote to memory of 3424	368	omsecor.exe	104
PID 368 wrote to memory of 3424	368	omsecor.exe	104
PID 368 wrote to memory of 3424	368	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
"C:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
  C:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 256
        8⤵
        Program crash
        
        PID:4408
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 292
        6⤵
        Program crash
        
        PID:3604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 288
      4⤵
      Program crash
      PID:3780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 292
  2⤵
  - Program crash
  PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 384 -ip 384
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2928 -ip 2928
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4964 -ip 4964
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 368 -ip 368
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1f6b081f0fc556963d041e3f99ed03ed

SHA1
bbe18363783e89277df545f0134cecee0a6b341e

SHA256
44599321f98b4c78d075c72c243d681c327d51bae4de864c9bf9db73f929c2e3

SHA512
5d5eab023bc1efce4009efd37c59173ad76ae64eb5428540bce1fbc51bda833f6367733bcbc31c8d9c8b2027ee93fe86bf5c952e55ea09a1fb53550a6aa7b1f9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
6ebfdd297b8dbfdda90e46785788f35b

SHA1
a7fac01130f84b7827df1d7fdac4bba2fde58762

SHA256
d38259ea04d6c7ea46c4cecbeb2bc90c923bff6489c34fbd4d7b9a4b906c7166

SHA512
9160b5b22a08645e602cef60333bc3181a8d043113bbe55cdd450a6fac603b7be179b6af01e9ea2b55e8109d817cd408f1fd8009d54663b19e5f74bf6a3615e5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
61c42f844e2a551286f18e2cdb391f09

SHA1
dc5d058314350846d40fb39fb172b06cbef5d1ca

SHA256
8aa5e5c6a1907745b22db28755e255afbfa85f1b734dc5b9617a7df800c8e4e4

SHA512
0a4b8b176988b5518c999e78a28ea27a59a46cfc00b8f81a48fe853bb588398862d9a853e751bef5c10c1f70f5547e6c9a76e40aa1333aec261d6b51182bab9c

Download Submit
memory/368-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/368-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/384-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/384-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1536-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1536-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1536-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1536-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2732-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2732-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2732-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2732-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2732-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2732-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2732-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3016-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3424-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3424-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3424-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4964-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4964-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download