neconyd | 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706ab

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
Size

96KB
MD5

b55545b8ebbe3b5559e4615778d5a610
SHA1

4cad156ecebb8a3a88947778e279386b68685260
SHA256

09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706ab
SHA512

28def2b2454383345a82949d9f00d9787036c4ad3ab64d82d7e86c588383e348be7e36d850148bda0c97bf6a3b7d00e530edcbb35c22db14813cf8ad9e0f04e3
SSDEEP

1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:UGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2040	omsecor.exe
3200	omsecor.exe
2680	omsecor.exe
3996	omsecor.exe
448	omsecor.exe
1268	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4628 set thread context of 4248	4628	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	83
PID 2040 set thread context of 3200	2040	omsecor.exe	87
PID 2680 set thread context of 3996	2680	omsecor.exe	100
PID 448 set thread context of 1268	448	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3260	4628	WerFault.exe	82
3948	2040	WerFault.exe	85
3576	2680	WerFault.exe	99
3636	448	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4248	4628	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	83
PID 4628 wrote to memory of 4248	4628	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	83
PID 4628 wrote to memory of 4248	4628	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	83
PID 4628 wrote to memory of 4248	4628	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	83
PID 4628 wrote to memory of 4248	4628	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	83
PID 4248 wrote to memory of 2040	4248	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	85
PID 4248 wrote to memory of 2040	4248	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	85
PID 4248 wrote to memory of 2040	4248	09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe	85
PID 2040 wrote to memory of 3200	2040	omsecor.exe	87
PID 2040 wrote to memory of 3200	2040	omsecor.exe	87
PID 2040 wrote to memory of 3200	2040	omsecor.exe	87
PID 2040 wrote to memory of 3200	2040	omsecor.exe	87
PID 2040 wrote to memory of 3200	2040	omsecor.exe	87
PID 3200 wrote to memory of 2680	3200	omsecor.exe	99
PID 3200 wrote to memory of 2680	3200	omsecor.exe	99
PID 3200 wrote to memory of 2680	3200	omsecor.exe	99
PID 2680 wrote to memory of 3996	2680	omsecor.exe	100
PID 2680 wrote to memory of 3996	2680	omsecor.exe	100
PID 2680 wrote to memory of 3996	2680	omsecor.exe	100
PID 2680 wrote to memory of 3996	2680	omsecor.exe	100
PID 2680 wrote to memory of 3996	2680	omsecor.exe	100
PID 3996 wrote to memory of 448	3996	omsecor.exe	102
PID 3996 wrote to memory of 448	3996	omsecor.exe	102
PID 3996 wrote to memory of 448	3996	omsecor.exe	102
PID 448 wrote to memory of 1268	448	omsecor.exe	104
PID 448 wrote to memory of 1268	448	omsecor.exe	104
PID 448 wrote to memory of 1268	448	omsecor.exe	104
PID 448 wrote to memory of 1268	448	omsecor.exe	104
PID 448 wrote to memory of 1268	448	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
"C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
  C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 256
        8⤵
        Program crash
        
        PID:3636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 292
        6⤵
        Program crash
        
        PID:3576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 288
      4⤵
      Program crash
      PID:3948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 288
  2⤵
  - Program crash
  PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4628 -ip 4628
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2040 -ip 2040
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2680 -ip 2680
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 448 -ip 448
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
63295a52fdb48dcb327c0edae1f39764

SHA1
310f47e5ceb3f073ec3307d63740e4f90cb7e8da

SHA256
321c49c158e33c00cfff00752d812237ddba860e900169a4e1f2359017c7b162

SHA512
47c6e7983785909279866f4c47bed010817230c9cb1b1a09e3801c68014cf5daa5e32dbed3b6ecebc0494195ac091941b9cd52122881bf19f18c3af63af2d961

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7030d0b66162cb56c85d320713f21874

SHA1
6450544f289d3656f5e36480050b255577acc79d

SHA256
ba23dba9f23b6d003f585605ff70f41f8110d7501c870e8f8da0a4b31032b9d1

SHA512
0d36183a218e7fbf54b1f58023fc4eaf1e1379bbd59ea8daf138b23ee4805b2533f11b93359daab0ce5e7a3d9dca3361cf0e158030f44509cd3e07f3af07dbd6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
bf48853d7726383db23573f30c70dfb8

SHA1
6cfde3740e8f42c4a8e437a64fb151b49ce8703d

SHA256
c9cce0e367b16042855494d6a780adc25a2ccfd88925e191f772e463d9a9a068

SHA512
2dbe074448a21d0768edb859a1db29f912883c7e32a7aa26ea073e74a80060ba0225bdb17c06b9cf48e7fd1247a947844ff8291b50afab0f6041795c3d86a6a6

Download Submit
memory/448-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/448-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1268-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1268-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1268-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2040-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2680-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2680-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3200-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3200-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3200-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3200-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3200-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3200-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3200-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3996-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3996-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3996-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4248-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4248-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4248-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4248-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4628-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4628-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download