neconyd | 5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
Size

96KB
MD5

e23e1066967cfe27f0bad4cbab114e0e
SHA1

7f4af7f5b9c2021c553d4bec0915f1ab56c2630b
SHA256

5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d
SHA512

2f5741e0fe892e064024a84b03b9973550dfd86ab1df591f6ad11a6ff25c7333967f8c49b97362998d5ee77b0ec781bdfbada240c1d4f59c5af0ba01f89fe645
SSDEEP

1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:EGs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3808	omsecor.exe
2424	omsecor.exe
2644	omsecor.exe
4252	omsecor.exe
3996	omsecor.exe
1860	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 516	2728	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	82
PID 3808 set thread context of 2424	3808	omsecor.exe	87
PID 2644 set thread context of 4252	2644	omsecor.exe	100
PID 3996 set thread context of 1860	3996	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2564	2728	WerFault.exe	81
4192	3808	WerFault.exe	84
2524	2644	WerFault.exe	99
2832	3996	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 516	2728	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	82
PID 2728 wrote to memory of 516	2728	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	82
PID 2728 wrote to memory of 516	2728	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	82
PID 2728 wrote to memory of 516	2728	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	82
PID 2728 wrote to memory of 516	2728	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	82
PID 516 wrote to memory of 3808	516	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	84
PID 516 wrote to memory of 3808	516	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	84
PID 516 wrote to memory of 3808	516	5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe	84
PID 3808 wrote to memory of 2424	3808	omsecor.exe	87
PID 3808 wrote to memory of 2424	3808	omsecor.exe	87
PID 3808 wrote to memory of 2424	3808	omsecor.exe	87
PID 3808 wrote to memory of 2424	3808	omsecor.exe	87
PID 3808 wrote to memory of 2424	3808	omsecor.exe	87
PID 2424 wrote to memory of 2644	2424	omsecor.exe	99
PID 2424 wrote to memory of 2644	2424	omsecor.exe	99
PID 2424 wrote to memory of 2644	2424	omsecor.exe	99
PID 2644 wrote to memory of 4252	2644	omsecor.exe	100
PID 2644 wrote to memory of 4252	2644	omsecor.exe	100
PID 2644 wrote to memory of 4252	2644	omsecor.exe	100
PID 2644 wrote to memory of 4252	2644	omsecor.exe	100
PID 2644 wrote to memory of 4252	2644	omsecor.exe	100
PID 4252 wrote to memory of 3996	4252	omsecor.exe	102
PID 4252 wrote to memory of 3996	4252	omsecor.exe	102
PID 4252 wrote to memory of 3996	4252	omsecor.exe	102
PID 3996 wrote to memory of 1860	3996	omsecor.exe	103
PID 3996 wrote to memory of 1860	3996	omsecor.exe	103
PID 3996 wrote to memory of 1860	3996	omsecor.exe	103
PID 3996 wrote to memory of 1860	3996	omsecor.exe	103
PID 3996 wrote to memory of 1860	3996	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
"C:\Users\Admin\AppData\Local\Temp\5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
  C:\Users\Admin\AppData\Local\Temp\5f23a18472141c4108d7cd49ebaa3f58fa3006777922b737202cf7338c8e0d0d.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 256
        8⤵
        Program crash
        
        PID:2832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 292
        6⤵
        Program crash
        
        PID:2524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 288
      4⤵
      Program crash
      PID:4192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 292
  2⤵
  - Program crash
  PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2728 -ip 2728
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3808 -ip 3808
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2644 -ip 2644
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3996 -ip 3996
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
36a38bb1103bd2df6c4b964957060172

SHA1
514730188ab2aded1874826a653dc51ad7093da7

SHA256
e1320d244ff643d05258a8612d70e18d32a4b3ed5b2f1e50220c245b44d1ad5c

SHA512
c445c6314d6c98a1909222927bb6d117c1ca18ee088e9af38c578c9161e5b532e4612f187c11d4a9ebab61456437b5268587bd1662125beba47c5b798f57f3a0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
48ebb298181ab30c984aede914af5c85

SHA1
51193285d5ce7d982535063fa5c70941e14ab5f5

SHA256
4e46ccb6b95b9d2c36740e1e4034e7eecfdb4febd1709f909c26a37d43a01d14

SHA512
2e49a8bb05fa159067a98574db812a80247fccc0e7d43c515a249867553d7343c1fe87e6801c70be77f47717e6533e9da04ceb757369eb7af3f5caaea37896af

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
49ca5941d55b7b3dd9a7c7cc25ae8289

SHA1
0d6df3e418d39a9acab8e86ed97dc0fa19908d95

SHA256
0c4abc65b498424b88a66988f940a871380baaec7a44ecbb2aadd0f24dce0f5f

SHA512
1a83a6f1ad06ffb39cccce832d7b2f1379fd80f05ef2da512e0d215ec04190a8ba6546d85a1046b601b9ddfefb4f83544146ce9608f4c1f529c8d3b9b7fafba1

Download Submit
memory/516-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/516-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/516-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/516-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1860-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1860-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1860-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2644-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2728-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2728-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3808-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3808-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3996-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4252-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4252-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4252-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download