neconyd | 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
Size

134KB
MD5

17abba9b7903c73f47d031d6a7ca2973
SHA1

054397fba61cb951cb8cac20adada39cf4c0d3f6
SHA256

00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4
SHA512

c4513e79cd8b9f162245348e410120dbdb725f71d2971d0a645ad0fc93b132f1211a3e8ae4f5bff52c7a8cead5f94af4cd8abc0a120770a081fab31a30400e28
SSDEEP

1536:FDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiX:liRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2964	omsecor.exe
2784	omsecor.exe
744	omsecor.exe
4796	omsecor.exe
3524	omsecor.exe
3972	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 404	1896	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	83
PID 2964 set thread context of 2784	2964	omsecor.exe	88
PID 744 set thread context of 4796	744	omsecor.exe	98
PID 3524 set thread context of 3972	3524	omsecor.exe	101

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3168	1896	WerFault.exe	82
1584	2964	WerFault.exe	87
3164	744	WerFault.exe	97
2128	3524	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 404	1896	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	83
PID 1896 wrote to memory of 404	1896	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	83
PID 1896 wrote to memory of 404	1896	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	83
PID 1896 wrote to memory of 404	1896	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	83
PID 1896 wrote to memory of 404	1896	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	83
PID 404 wrote to memory of 2964	404	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	87
PID 404 wrote to memory of 2964	404	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	87
PID 404 wrote to memory of 2964	404	00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe	87
PID 2964 wrote to memory of 2784	2964	omsecor.exe	88
PID 2964 wrote to memory of 2784	2964	omsecor.exe	88
PID 2964 wrote to memory of 2784	2964	omsecor.exe	88
PID 2964 wrote to memory of 2784	2964	omsecor.exe	88
PID 2964 wrote to memory of 2784	2964	omsecor.exe	88
PID 2784 wrote to memory of 744	2784	omsecor.exe	97
PID 2784 wrote to memory of 744	2784	omsecor.exe	97
PID 2784 wrote to memory of 744	2784	omsecor.exe	97
PID 744 wrote to memory of 4796	744	omsecor.exe	98
PID 744 wrote to memory of 4796	744	omsecor.exe	98
PID 744 wrote to memory of 4796	744	omsecor.exe	98
PID 744 wrote to memory of 4796	744	omsecor.exe	98
PID 744 wrote to memory of 4796	744	omsecor.exe	98
PID 4796 wrote to memory of 3524	4796	omsecor.exe	100
PID 4796 wrote to memory of 3524	4796	omsecor.exe	100
PID 4796 wrote to memory of 3524	4796	omsecor.exe	100
PID 3524 wrote to memory of 3972	3524	omsecor.exe	101
PID 3524 wrote to memory of 3972	3524	omsecor.exe	101
PID 3524 wrote to memory of 3972	3524	omsecor.exe	101
PID 3524 wrote to memory of 3972	3524	omsecor.exe	101
PID 3524 wrote to memory of 3972	3524	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
"C:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
  C:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:744
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 256
        8⤵
        Program crash
        
        PID:2128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 292
        6⤵
        Program crash
        
        PID:3164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 288
      4⤵
      Program crash
      PID:1584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 300
  2⤵
  - Program crash
  PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1896 -ip 1896
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2964 -ip 2964
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 744 -ip 744
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3524 -ip 3524
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
87a597b34f67271d72573bfdd220c97d

SHA1
fdd417d84462d204ae5991c2e69bcacf747b9f11

SHA256
82d9478fcc8c7fb7054b2e26e39e2779e9881f8c107ac34c8fac0c333f788d8d

SHA512
b64df6930c59076308645f4e5bbd84f78bbe5ab88e18b9f61013718527e8fb422a68a37de133dbf771eb569dfb5d5742c3f53ff17a421daaf1c2182739217cc7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f12dbc220a90f9e2d2ad8303e5ecdf8f

SHA1
080e72badfb81e725ac3e52a56631f35b7f19505

SHA256
033c2a7eaf3e01e3a5cfdb858472fae641a5c0467b5573e31228a54484d2ad3f

SHA512
932fbb6ad2a17125f8566ac4e9ab9f7fa4aea9e8d5805b73232272f8608604f7d9ddbb22d1c18b717868242da6fe4908218d7b039c4eeeaefeea14a63d85bd8e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
9fda2a87b48fbfbda9ae176b1b252bcd

SHA1
6b1f88472a318987d297ec13a153658d6e11d2e8

SHA256
9d4ec2f6ded9dca6bd6904d03c214a116be3539d59569d6f4d37a60e29fb97eb

SHA512
d2962f8961d28c82b8d2dee20e4ec4d18a5656a70093eff033aeea7b2cb8b180edfa0430274a66a98150b328956138ebf1e858f42f3ae356ae4693a057e53adc

Download Submit
memory/404-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/404-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/404-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/404-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/744-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1896-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1896-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2784-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2784-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2784-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2784-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2784-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2784-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2784-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2964-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2964-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3524-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3972-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3972-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3972-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4796-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4796-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4796-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download