neconyd | 879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5d

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
Size

134KB
MD5

36c4d2f645f9db603d475063924eb670
SHA1

5629b4c78b8cdb44c74e8ea403554bd01168b8e6
SHA256

879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5d
SHA512

ba678c8acea7d20906096ac197d5b6475e9d4bb1d8a1de0c369970ea8bb38f194787d5b4d866c67135ca200c2a808159616070a2ac7f0e7a75233958d27e2c68
SSDEEP

1536:sDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCid:SiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1088	omsecor.exe
3696	omsecor.exe
832	omsecor.exe
704	omsecor.exe
4436	omsecor.exe
4072	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 3772	1668	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	83
PID 1088 set thread context of 3696	1088	omsecor.exe	88
PID 832 set thread context of 704	832	omsecor.exe	101
PID 4436 set thread context of 4072	4436	omsecor.exe	105

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1580	1668	WerFault.exe	82
2096	1088	WerFault.exe	85
3216	832	WerFault.exe	100
3064	4436	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 3772	1668	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	83
PID 1668 wrote to memory of 3772	1668	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	83
PID 1668 wrote to memory of 3772	1668	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	83
PID 1668 wrote to memory of 3772	1668	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	83
PID 1668 wrote to memory of 3772	1668	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	83
PID 3772 wrote to memory of 1088	3772	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	85
PID 3772 wrote to memory of 1088	3772	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	85
PID 3772 wrote to memory of 1088	3772	879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe	85
PID 1088 wrote to memory of 3696	1088	omsecor.exe	88
PID 1088 wrote to memory of 3696	1088	omsecor.exe	88
PID 1088 wrote to memory of 3696	1088	omsecor.exe	88
PID 1088 wrote to memory of 3696	1088	omsecor.exe	88
PID 1088 wrote to memory of 3696	1088	omsecor.exe	88
PID 3696 wrote to memory of 832	3696	omsecor.exe	100
PID 3696 wrote to memory of 832	3696	omsecor.exe	100
PID 3696 wrote to memory of 832	3696	omsecor.exe	100
PID 832 wrote to memory of 704	832	omsecor.exe	101
PID 832 wrote to memory of 704	832	omsecor.exe	101
PID 832 wrote to memory of 704	832	omsecor.exe	101
PID 832 wrote to memory of 704	832	omsecor.exe	101
PID 832 wrote to memory of 704	832	omsecor.exe	101
PID 704 wrote to memory of 4436	704	omsecor.exe	103
PID 704 wrote to memory of 4436	704	omsecor.exe	103
PID 704 wrote to memory of 4436	704	omsecor.exe	103
PID 4436 wrote to memory of 4072	4436	omsecor.exe	105
PID 4436 wrote to memory of 4072	4436	omsecor.exe	105
PID 4436 wrote to memory of 4072	4436	omsecor.exe	105
PID 4436 wrote to memory of 4072	4436	omsecor.exe	105
PID 4436 wrote to memory of 4072	4436	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
"C:\Users\Admin\AppData\Local\Temp\879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
  C:\Users\Admin\AppData\Local\Temp\879266d087e8a9d921459ee0b3e37d80ee81f2ad8cf1a573f03fa23a2685ae5dN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 244
        8⤵
        Program crash
        
        PID:3064
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 292
        6⤵
        Program crash
        
        PID:3216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 296
      4⤵
      Program crash
      PID:2096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 288
  2⤵
  - Program crash
  PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1668 -ip 1668
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1088 -ip 1088
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 832 -ip 832
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4436 -ip 4436
1⤵
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
dc800634fde0b786d843ed1dcc6e33c7

SHA1
4c422ab54474b3f87b089d54a6e5889f76479e31

SHA256
52c326e1138193f5a1d4eb131f85ac61a18c805a181999820469dcdaf923d1dc

SHA512
1e34d2f7a8e959388394880036d31b10af439a88398619c1e0ddbfb4f06b363ec4b8cdb962dbbded94535a30da2853dd922fb9cd66329f8a19c67fdc62aec487

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f4be90352975039dc08cb4cfff1ab390

SHA1
e9e7d4d0d1f8da90d7748a18b21a6d2a579d9f2b

SHA256
a20d8d15be6fd148f7481b57a9bcb9ee877eca2d85be64394e149d4e39769203

SHA512
5bb9afc5872978bcfbdecf0997e54d1b8a091e3941e83a59164d4124d7c7ee48b68ac3814eb336c5226761f35965ecf413ec0d51a6d8a2c173c297b3db85fc2f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
43993f8ea6f38aa47b81e12f1b34e9fd

SHA1
335d11bf89dcc823d52445967ba582445c30a81d

SHA256
c2f173fde753700a568df0db3c45c4c1e7a8df5cc539491eda414729e16c8d1a

SHA512
735c827f17edaa65e7c3ba83f4874c73bdb107ebb7800f94f822a154289bf0563efdfc19c5aa52edd4f2f804c4e4c776dc06bc9ac8300d84e6c596b0bbc7b99a

Download Submit
memory/704-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/704-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/704-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/832-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/832-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1088-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1088-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1668-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1668-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3696-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3772-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3772-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3772-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3772-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4072-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4072-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4072-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4436-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4436-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download