neconyd | 1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe
Size

96KB
MD5

06f9986e4fd70ec310d913a22795d5c4
SHA1

c0e06f7d1584e7f67647830aabf325511ec17e14
SHA256

1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98
SHA512

26d793ae3715a2c9efac88fe48238213a2b42ebbf72e5422504318e8a5379b52f6d4467ef113a83ac8f5e341443303c3d6776842cf8c55efd770ecd96368913a
SSDEEP

1536:TnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxj:TGs8cd8eXlYairZYqMddH13j

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4884	omsecor.exe
628	omsecor.exe
4448	omsecor.exe
4476	omsecor.exe
1404	omsecor.exe
4940	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5056 set thread context of 3132	5056	1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe	84
PID 4884 set thread context of 628	4884	omsecor.exe	89
PID 4448 set thread context of 4476	4448	omsecor.exe	99
PID 1404 set thread context of 4940	1404	omsecor.exe	102

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2240	5056	WerFault.exe	82
1208	4884	WerFault.exe	87
4904	4448	WerFault.exe	98
752	1404	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3132	5056	1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe	84
PID 5056 wrote to memory of 3132	5056	1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe	84
PID 5056 wrote to memory of 3132	5056	1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe	84
PID 5056 wrote to memory of 3132	5056	1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe	84
PID 5056 wrote to memory of 3132	5056	1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe	84
PID 3132 wrote to memory of 4884	3132	1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe	87
PID 3132 wrote to memory of 4884	3132	1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe	87
PID 3132 wrote to memory of 4884	3132	1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe	87
PID 4884 wrote to memory of 628	4884	omsecor.exe	89
PID 4884 wrote to memory of 628	4884	omsecor.exe	89
PID 4884 wrote to memory of 628	4884	omsecor.exe	89
PID 4884 wrote to memory of 628	4884	omsecor.exe	89
PID 4884 wrote to memory of 628	4884	omsecor.exe	89
PID 628 wrote to memory of 4448	628	omsecor.exe	98
PID 628 wrote to memory of 4448	628	omsecor.exe	98
PID 628 wrote to memory of 4448	628	omsecor.exe	98
PID 4448 wrote to memory of 4476	4448	omsecor.exe	99
PID 4448 wrote to memory of 4476	4448	omsecor.exe	99
PID 4448 wrote to memory of 4476	4448	omsecor.exe	99
PID 4448 wrote to memory of 4476	4448	omsecor.exe	99
PID 4448 wrote to memory of 4476	4448	omsecor.exe	99
PID 4476 wrote to memory of 1404	4476	omsecor.exe	101
PID 4476 wrote to memory of 1404	4476	omsecor.exe	101
PID 4476 wrote to memory of 1404	4476	omsecor.exe	101
PID 1404 wrote to memory of 4940	1404	omsecor.exe	102
PID 1404 wrote to memory of 4940	1404	omsecor.exe	102
PID 1404 wrote to memory of 4940	1404	omsecor.exe	102
PID 1404 wrote to memory of 4940	1404	omsecor.exe	102
PID 1404 wrote to memory of 4940	1404	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe
"C:\Users\Admin\AppData\Local\Temp\1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe
  C:\Users\Admin\AppData\Local\Temp\1afd01860aa4a3311cb9e33f8847d275d4f71866f9766c328c2fc10466e55d98.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 268
        8⤵
        Program crash
        
        PID:752
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 292
        6⤵
        Program crash
        
        PID:4904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 300
      4⤵
      Program crash
      PID:1208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 288
  2⤵
  - Program crash
  PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5056 -ip 5056
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4884 -ip 4884
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4448 -ip 4448
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1404 -ip 1404
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7087cf0ffbfe67c367ae97d9d711efcf

SHA1
84fc92a770246b8e3339e0601a0e878e15ed0aa8

SHA256
0e194e76c9a39e308d70b9d1ef38e42dafcc89134735be59e563400cdeaa45d0

SHA512
0179cdc58f1ce3b6f2ef3d937154d333b53e39135e4727a4bf2493dedb644852fca12fa6ff2be07b1074536c4ef705ddbff31455c6925220cd470efd8c720367

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d11dcc14dc9b76c4133db787467b11e1

SHA1
5bd4c3c592fcdf9aed6a943ee7d776da2188b93a

SHA256
34a9021c951262ec23a9776c4d4ba5bc11b335a47a491d3fe659ac7d416679c1

SHA512
1f6c27d02cad38d4246c8cf8dacdb11f3d75d2b47cc7ff7711cc8ae6287853e847f074502cd7c1355edd33a787e09574deb911590f64b40026ad25e86d49144f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
aa84486c52335c0abec2778a61a39471

SHA1
89151660bbd4c52728e0f0525efe794d3027b468

SHA256
c43a183732c526c4b34913fa0f3506c432436c784524d4357178f805181a891a

SHA512
26e5c419edb2e2f89e49bc72400b00b9c43726a01b13b210fc4be5ae1cfd8203f314045f50be2e2bd9b1e36c7c7ce5614b1842c572aa68ec36564b79c90b72c6

Download Submit
memory/628-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1404-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3132-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3132-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3132-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3132-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4448-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4448-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4476-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4476-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4476-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4884-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4884-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4940-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4940-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4940-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5056-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5056-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download