neconyd | 982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
Size

96KB
MD5

cef45c2409259699135727cbc94aa750
SHA1

adc57545b66c43b1e59b93c72bae959f7e0b294b
SHA256

982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50
SHA512

b0ed6de2c83ac623ccd22c7c2e63fd93d77ee5a997b4bd11170d68cb411edb680b0110b13c0b28e9b7ef5c50f91c77f2b4550732e174cc2a81a2e7f48e917bc9
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:OGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4904	omsecor.exe
3064	omsecor.exe
4144	omsecor.exe
3376	omsecor.exe
3968	omsecor.exe
2264	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 948 set thread context of 2624	948	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	84
PID 4904 set thread context of 3064	4904	omsecor.exe	88
PID 4144 set thread context of 3376	4144	omsecor.exe	99
PID 3968 set thread context of 2264	3968	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
468	948	WerFault.exe	82
3280	4904	WerFault.exe	87
2056	4144	WerFault.exe	98
3264	3968	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2624	948	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	84
PID 948 wrote to memory of 2624	948	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	84
PID 948 wrote to memory of 2624	948	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	84
PID 948 wrote to memory of 2624	948	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	84
PID 948 wrote to memory of 2624	948	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	84
PID 2624 wrote to memory of 4904	2624	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	87
PID 2624 wrote to memory of 4904	2624	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	87
PID 2624 wrote to memory of 4904	2624	982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe	87
PID 4904 wrote to memory of 3064	4904	omsecor.exe	88
PID 4904 wrote to memory of 3064	4904	omsecor.exe	88
PID 4904 wrote to memory of 3064	4904	omsecor.exe	88
PID 4904 wrote to memory of 3064	4904	omsecor.exe	88
PID 4904 wrote to memory of 3064	4904	omsecor.exe	88
PID 3064 wrote to memory of 4144	3064	omsecor.exe	98
PID 3064 wrote to memory of 4144	3064	omsecor.exe	98
PID 3064 wrote to memory of 4144	3064	omsecor.exe	98
PID 4144 wrote to memory of 3376	4144	omsecor.exe	99
PID 4144 wrote to memory of 3376	4144	omsecor.exe	99
PID 4144 wrote to memory of 3376	4144	omsecor.exe	99
PID 4144 wrote to memory of 3376	4144	omsecor.exe	99
PID 4144 wrote to memory of 3376	4144	omsecor.exe	99
PID 3376 wrote to memory of 3968	3376	omsecor.exe	101
PID 3376 wrote to memory of 3968	3376	omsecor.exe	101
PID 3376 wrote to memory of 3968	3376	omsecor.exe	101
PID 3968 wrote to memory of 2264	3968	omsecor.exe	103
PID 3968 wrote to memory of 2264	3968	omsecor.exe	103
PID 3968 wrote to memory of 2264	3968	omsecor.exe	103
PID 3968 wrote to memory of 2264	3968	omsecor.exe	103
PID 3968 wrote to memory of 2264	3968	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
"C:\Users\Admin\AppData\Local\Temp\982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
  C:\Users\Admin\AppData\Local\Temp\982dabc32d2358d0d19eebef352c74fe4d43bc565109cb04135eb9443e8eda50N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 256
        8⤵
        Program crash
        
        PID:3264
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 292
        6⤵
        Program crash
        
        PID:2056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 288
      4⤵
      Program crash
      PID:3280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 288
  2⤵
  - Program crash
  PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 948 -ip 948
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4904 -ip 4904
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4144 -ip 4144
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3968 -ip 3968
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
48e39d43f559a9739db600094d96c054

SHA1
fc30edefea675abfcce2da5d2d1fc07c28aa05f9

SHA256
ded0bc6c347ada897e983f3e2aca1dc5e50aa5bfc0e1932f5735e6a6f870476a

SHA512
d21ae6a5ca3bb35aeae25427269f81c3c93c400e500a04bcb899b82af822992b72fb0c72bb29d8100f4801600b4830f207b1e6f2cff90103bfd3d22317c3c2c6

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
416727115761e477e5d79141639157ac

SHA1
0198be0a052d0b3a9f90bdf6a88b41ed98d86db5

SHA256
7c79293172e5f3165c2ee3e5396e2d0d60dc4ce2d506f8ebeba8a26b747775a5

SHA512
e2f0a7d1aef55f1d472e46dbdb6579e004d0d4cc504f218de172f163e2c3fc3078636a535f9c4cab5c3e85b1737bde8bb081bd8bf66f68bcd2d6a3eaf9e18ab6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2475a4c7bb49712377d2ae3e0a79167b

SHA1
d65decc936bb0fb2ad93f397af06f3a6f2be5fbc

SHA256
c403d9a368470b88c9ccfb2b5e8f57bbf855c8719f5b2f5695ab2c9e5ec87568

SHA512
fb6b2b586fd991d61481e8b8e2aa051aece2ecda34692b749817b15471686d9e78fbfeaed45914610e05054af7ace40f1e26eb9b4e52b6084f2e072d1de38d5e

Download Submit
memory/948-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/948-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2264-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2264-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2264-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2624-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2624-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2624-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2624-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3376-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3376-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3376-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3968-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4144-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4144-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4904-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4904-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download