neconyd | cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547

Analysis

max time kernel
116s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe
Size

96KB
MD5

b638a9c8e31dadeeb313a6e2358b3b70
SHA1

77bf3b34cd5aea0f032915216adcaf6df744543f
SHA256

cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547
SHA512

5bb242333346467d299ff477086d5c0975a7c9ce057eb4ae8c676ad1413dfc938c88a21d83549ad8bc0b2562da72ce4bd8fba2acf6c603954dc1e675581cc23d
SSDEEP

1536:unAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:uGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4424	omsecor.exe
4160	omsecor.exe
2988	omsecor.exe
3472	omsecor.exe
2360	omsecor.exe
760	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 3524	1976	cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe	83
PID 4424 set thread context of 4160	4424	omsecor.exe	88
PID 2988 set thread context of 3472	2988	omsecor.exe	99
PID 2360 set thread context of 760	2360	omsecor.exe	102

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2332	1976	WerFault.exe	82
628	4424	WerFault.exe	85
3800	2988	WerFault.exe	98
1492	2360	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3524	1976	cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe	83
PID 1976 wrote to memory of 3524	1976	cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe	83
PID 1976 wrote to memory of 3524	1976	cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe	83
PID 1976 wrote to memory of 3524	1976	cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe	83
PID 1976 wrote to memory of 3524	1976	cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe	83
PID 3524 wrote to memory of 4424	3524	cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe	85
PID 3524 wrote to memory of 4424	3524	cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe	85
PID 3524 wrote to memory of 4424	3524	cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe	85
PID 4424 wrote to memory of 4160	4424	omsecor.exe	88
PID 4424 wrote to memory of 4160	4424	omsecor.exe	88
PID 4424 wrote to memory of 4160	4424	omsecor.exe	88
PID 4424 wrote to memory of 4160	4424	omsecor.exe	88
PID 4424 wrote to memory of 4160	4424	omsecor.exe	88
PID 4160 wrote to memory of 2988	4160	omsecor.exe	98
PID 4160 wrote to memory of 2988	4160	omsecor.exe	98
PID 4160 wrote to memory of 2988	4160	omsecor.exe	98
PID 2988 wrote to memory of 3472	2988	omsecor.exe	99
PID 2988 wrote to memory of 3472	2988	omsecor.exe	99
PID 2988 wrote to memory of 3472	2988	omsecor.exe	99
PID 2988 wrote to memory of 3472	2988	omsecor.exe	99
PID 2988 wrote to memory of 3472	2988	omsecor.exe	99
PID 3472 wrote to memory of 2360	3472	omsecor.exe	101
PID 3472 wrote to memory of 2360	3472	omsecor.exe	101
PID 3472 wrote to memory of 2360	3472	omsecor.exe	101
PID 2360 wrote to memory of 760	2360	omsecor.exe	102
PID 2360 wrote to memory of 760	2360	omsecor.exe	102
PID 2360 wrote to memory of 760	2360	omsecor.exe	102
PID 2360 wrote to memory of 760	2360	omsecor.exe	102
PID 2360 wrote to memory of 760	2360	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe
"C:\Users\Admin\AppData\Local\Temp\cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe
  C:\Users\Admin\AppData\Local\Temp\cd86ae248b4fdc7b93429dc926f941452378e66841c5f6a3cd5655891045d547N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 256
        8⤵
        Program crash
        
        PID:1492
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 292
        6⤵
        Program crash
        
        PID:3800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 300
      4⤵
      Program crash
      PID:628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 264
  2⤵
  - Program crash
  PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1976 -ip 1976
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4424 -ip 4424
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2988 -ip 2988
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2360 -ip 2360
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b7ea1d1b28adf09ec3ca1be1c368d533

SHA1
94f89260ce50c81c1495c73da1b573a783e60183

SHA256
b6834fc3674119d6ce239b53d51185b51ef91592f83a5e7909a0622550c8d315

SHA512
da10ae07e8751f7b1d667b6ee82d9ae5f01b843f2f04278381868d20b66afc24767f73aef1261491d86ae6f0f28d4b8b98209a84a7edb28c864d4d1b19d3fd7b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
17c92d2a87dde55deb8a94c57266d0ab

SHA1
838a1aff5c8418fedca3868873a93a7cc8fa461d

SHA256
48621fc916cb76d7dc03b8a15e0e58eac575c59d7a1efcb61e7eef0aef630e23

SHA512
c9cb8442a0a1bd8573c671a2797e237e176e2659adf9710bab70d3553355f7415b9ce6ddb18407c65cc542e3fde36878081d27791c0876629bb5d538be7a325e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
6ce1443b9181674952574024bc0701bb

SHA1
2165b06ae6ea9b4d94872cf273d32f79b9424dde

SHA256
e093c070bfec635ed0d9097fc1c7f860b4c6a8b4d663934a1ce40523b79581de

SHA512
24f2bc1a7898783143b8e43dd513b94a82263357c1cb805a098fc908d17ce7cbb301565f4adf1ef759b3f8f46dc61af9767f5157d1f7342713e885375ba32c60

Download Submit
memory/760-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1976-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2360-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2360-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2988-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2988-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3472-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3472-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3472-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3524-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3524-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3524-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3524-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4160-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4160-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4160-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4160-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4160-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4160-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4160-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4424-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4424-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download