neconyd | 46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609a

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
Size

96KB
MD5

5a4e24466068994c8d2993885c234630
SHA1

71ad823076f84943e7a84b18170620604c222816
SHA256

46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609a
SHA512

e63ba08d8b70e3fb81ec7556f9210600964a633a7920579fe9bbff0bca370b83b88e5abab7ee1910db82caa929787109b4138b02af9f7ff9f199e957641ce07b
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:OGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1836	omsecor.exe
4932	omsecor.exe
3188	omsecor.exe
2412	omsecor.exe
3160	omsecor.exe
3988	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1140 set thread context of 1016	1140	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	83
PID 1836 set thread context of 4932	1836	omsecor.exe	87
PID 3188 set thread context of 2412	3188	omsecor.exe	99
PID 3160 set thread context of 3988	3160	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
100	1140	WerFault.exe	82
1732	1836	WerFault.exe	85
4148	3188	WerFault.exe	98
3544	3160	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1016	1140	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	83
PID 1140 wrote to memory of 1016	1140	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	83
PID 1140 wrote to memory of 1016	1140	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	83
PID 1140 wrote to memory of 1016	1140	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	83
PID 1140 wrote to memory of 1016	1140	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	83
PID 1016 wrote to memory of 1836	1016	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	85
PID 1016 wrote to memory of 1836	1016	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	85
PID 1016 wrote to memory of 1836	1016	46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe	85
PID 1836 wrote to memory of 4932	1836	omsecor.exe	87
PID 1836 wrote to memory of 4932	1836	omsecor.exe	87
PID 1836 wrote to memory of 4932	1836	omsecor.exe	87
PID 1836 wrote to memory of 4932	1836	omsecor.exe	87
PID 1836 wrote to memory of 4932	1836	omsecor.exe	87
PID 4932 wrote to memory of 3188	4932	omsecor.exe	98
PID 4932 wrote to memory of 3188	4932	omsecor.exe	98
PID 4932 wrote to memory of 3188	4932	omsecor.exe	98
PID 3188 wrote to memory of 2412	3188	omsecor.exe	99
PID 3188 wrote to memory of 2412	3188	omsecor.exe	99
PID 3188 wrote to memory of 2412	3188	omsecor.exe	99
PID 3188 wrote to memory of 2412	3188	omsecor.exe	99
PID 3188 wrote to memory of 2412	3188	omsecor.exe	99
PID 2412 wrote to memory of 3160	2412	omsecor.exe	101
PID 2412 wrote to memory of 3160	2412	omsecor.exe	101
PID 2412 wrote to memory of 3160	2412	omsecor.exe	101
PID 3160 wrote to memory of 3988	3160	omsecor.exe	103
PID 3160 wrote to memory of 3988	3160	omsecor.exe	103
PID 3160 wrote to memory of 3988	3160	omsecor.exe	103
PID 3160 wrote to memory of 3988	3160	omsecor.exe	103
PID 3160 wrote to memory of 3988	3160	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
"C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
  C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3188
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 256
        8⤵
        Program crash
        
        PID:3544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 292
        6⤵
        Program crash
        
        PID:4148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 292
      4⤵
      Program crash
      PID:1732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 288
  2⤵
  - Program crash
  PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1140 -ip 1140
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1836 -ip 1836
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3188 -ip 3188
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3160 -ip 3160
1⤵
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5f78c8acd8d7a3c783977b7f65ed2124

SHA1
95dbbb6ce4854675e025b91adcd9a5f6866c932d

SHA256
3c3037c0182e088a172c2e7d57cea99d8d545fb7bd331ad2e35b2b11b0ead1d1

SHA512
b0d886e88c5648e08626105a298a09e5b70a3a499e8b403b0866fe34f846995eaaa5cf05959c7587fe57ae2b50c8ca3dedc83bff98cb0b28482ab23dd2f1c594

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ec89c35902924c7111030966fac9ce59

SHA1
889457a38e68934db34638a0c3fe4050ce9bb516

SHA256
268444a3dcfa24c1666b7e056a38f4cc86720a2bd6204175f2ed2d0d0d1917f3

SHA512
c0d45398d2b8951a7817b4a3730c5ca0228ecb20892d55683955e149baf277b768e30e653917436f8e9d8ea561aca9cd19e9a1567541e49b5c76546d8f96f362

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
3a453926a9b59232f7acd36daadd36b5

SHA1
3d77f56b7a25a73a87f0a091667f684bb47c7fa8

SHA256
9d9e1544e5160deff579c143fe0ef1e01962db7341c075dcfea86947d9c16cbd

SHA512
08c1116200b7b5d3b57337ea47aa7448252d98611fc69f85da097c571a51e034d7196bf92e61059b562c8dafeda605e1266b7da003d7fb2d4efa0b3a1a1362e9

Download Submit
memory/1016-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1016-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1016-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1016-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1140-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1140-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1836-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1836-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2412-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2412-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2412-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3160-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3160-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3188-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3188-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3988-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3988-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3988-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4932-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4932-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4932-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4932-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4932-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4932-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4932-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download