neconyd | 62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe
Size

134KB
MD5

51dad8da4937b0553e89916281ade2a0
SHA1

750688fe6ba6efd508f34275a8a1584d20ff97e8
SHA256

62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33
SHA512

6fb2f41cf9db6176f47430c190e08bcacd9dae64e5865ba062e703fda17003ee22f45b96200a265fec6e16ad311ce051728bb9118e2ca62842127ce04c4ca677
SSDEEP

1536:cDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:CiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3228	omsecor.exe
392	omsecor.exe
3112	omsecor.exe
3248	omsecor.exe
3916	omsecor.exe
3748	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 4040	4440	62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe	82
PID 3228 set thread context of 392	3228	omsecor.exe	86
PID 3112 set thread context of 3248	3112	omsecor.exe	100
PID 3916 set thread context of 3748	3916	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
764	4440	WerFault.exe	81
3424	3228	WerFault.exe	85
692	3112	WerFault.exe	99
4112	3916	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4040	4440	62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe	82
PID 4440 wrote to memory of 4040	4440	62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe	82
PID 4440 wrote to memory of 4040	4440	62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe	82
PID 4440 wrote to memory of 4040	4440	62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe	82
PID 4440 wrote to memory of 4040	4440	62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe	82
PID 4040 wrote to memory of 3228	4040	62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe	85
PID 4040 wrote to memory of 3228	4040	62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe	85
PID 4040 wrote to memory of 3228	4040	62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe	85
PID 3228 wrote to memory of 392	3228	omsecor.exe	86
PID 3228 wrote to memory of 392	3228	omsecor.exe	86
PID 3228 wrote to memory of 392	3228	omsecor.exe	86
PID 3228 wrote to memory of 392	3228	omsecor.exe	86
PID 3228 wrote to memory of 392	3228	omsecor.exe	86
PID 392 wrote to memory of 3112	392	omsecor.exe	99
PID 392 wrote to memory of 3112	392	omsecor.exe	99
PID 392 wrote to memory of 3112	392	omsecor.exe	99
PID 3112 wrote to memory of 3248	3112	omsecor.exe	100
PID 3112 wrote to memory of 3248	3112	omsecor.exe	100
PID 3112 wrote to memory of 3248	3112	omsecor.exe	100
PID 3112 wrote to memory of 3248	3112	omsecor.exe	100
PID 3112 wrote to memory of 3248	3112	omsecor.exe	100
PID 3248 wrote to memory of 3916	3248	omsecor.exe	102
PID 3248 wrote to memory of 3916	3248	omsecor.exe	102
PID 3248 wrote to memory of 3916	3248	omsecor.exe	102
PID 3916 wrote to memory of 3748	3916	omsecor.exe	104
PID 3916 wrote to memory of 3748	3916	omsecor.exe	104
PID 3916 wrote to memory of 3748	3916	omsecor.exe	104
PID 3916 wrote to memory of 3748	3916	omsecor.exe	104
PID 3916 wrote to memory of 3748	3916	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe
"C:\Users\Admin\AppData\Local\Temp\62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Temp\62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe
  C:\Users\Admin\AppData\Local\Temp\62ac3574bd12cc74abfd717ae484ff082cbf287eb5c3ced887bd5f5abc22fe33N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3112
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 256
        8⤵
        Program crash
        
        PID:4112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 292
        6⤵
        Program crash
        
        PID:692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 288
      4⤵
      Program crash
      PID:3424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 288
  2⤵
  - Program crash
  PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4440 -ip 4440
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3228 -ip 3228
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3112 -ip 3112
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3916 -ip 3916
1⤵
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
b2f02aa03fda4c349a51175802e179c4

SHA1
9be0b18be9c1db58625ddf165bbc35ec21841402

SHA256
9fff212a357c40ae679b001a421e54c28a0595849d98266307947a942be9e030

SHA512
9de028214ca070e83aedacaadec25fd376128dfabe154bd7f35f5073cdab096fe02f428f9dca9675dfde5830610e3cc2a736fe8def66d51b0c8a5788eb7acf52

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
334fb6c9dd7c59479d87391e23ebb955

SHA1
97b593e659f225767742a4f3eea7fb3698c3e48e

SHA256
28f651661348768852a846f00be5a451a6ddbd62e4217fadccd704daa159192c

SHA512
759bc98c6559a937438ca3150de5375398e4703c77793153dce5c10216e54ac83ceefa1f9e7bf4399ddc3ed04407f336f471fce40b70a36386ad9d65c1ee2e91

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
6120d2d20f1abd80ff84e571cf54e662

SHA1
8745935be511feec67c3b946385087c9b63ef840

SHA256
e6489834d3f1f864d7ad37c1f567786ecbd3d453b617f0e0a57e5502ba1d54cf

SHA512
6a8d95de8fb70dab4a502cf538c5fe396df8dc70b8779e6b04fece9484e4198fbf3063a7cfd6a3315d2a3cd83d61a7162b7126c3f57fa807be60d99c5853eadc

Download Submit
memory/392-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/392-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/392-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/392-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/392-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/392-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/392-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3112-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3112-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3228-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3228-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3248-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3248-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3248-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3748-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3748-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3748-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3916-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4040-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4040-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4040-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4040-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4440-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download