neconyd | 12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8

Analysis

max time kernel
116s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
Size

134KB
MD5

d9b1315c3de54f41e9f25a5070f6c6ca
SHA1

aa709b47beb38f301683cc96eb881df5ea5f4711
SHA256

12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8
SHA512

37cde91b5389a9916223b6695902316010d198ed5a8c32fe70e3a44eb95696669bbcc7b2f8f253dd3e2769a7cf71f67786771153ba99652599a378ce41af02c3
SSDEEP

1536:sDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCit:SiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4840	omsecor.exe
2032	omsecor.exe
4044	omsecor.exe
4476	omsecor.exe
1420	omsecor.exe
3520	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 2664	1112	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	84
PID 4840 set thread context of 2032	4840	omsecor.exe	88
PID 4044 set thread context of 4476	4044	omsecor.exe	101
PID 1420 set thread context of 3520	1420	omsecor.exe	105

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4456	1112	WerFault.exe	82
2160	4840	WerFault.exe	86
684	4044	WerFault.exe	100
2764	1420	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 2664	1112	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	84
PID 1112 wrote to memory of 2664	1112	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	84
PID 1112 wrote to memory of 2664	1112	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	84
PID 1112 wrote to memory of 2664	1112	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	84
PID 1112 wrote to memory of 2664	1112	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	84
PID 2664 wrote to memory of 4840	2664	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	86
PID 2664 wrote to memory of 4840	2664	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	86
PID 2664 wrote to memory of 4840	2664	12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe	86
PID 4840 wrote to memory of 2032	4840	omsecor.exe	88
PID 4840 wrote to memory of 2032	4840	omsecor.exe	88
PID 4840 wrote to memory of 2032	4840	omsecor.exe	88
PID 4840 wrote to memory of 2032	4840	omsecor.exe	88
PID 4840 wrote to memory of 2032	4840	omsecor.exe	88
PID 2032 wrote to memory of 4044	2032	omsecor.exe	100
PID 2032 wrote to memory of 4044	2032	omsecor.exe	100
PID 2032 wrote to memory of 4044	2032	omsecor.exe	100
PID 4044 wrote to memory of 4476	4044	omsecor.exe	101
PID 4044 wrote to memory of 4476	4044	omsecor.exe	101
PID 4044 wrote to memory of 4476	4044	omsecor.exe	101
PID 4044 wrote to memory of 4476	4044	omsecor.exe	101
PID 4044 wrote to memory of 4476	4044	omsecor.exe	101
PID 4476 wrote to memory of 1420	4476	omsecor.exe	103
PID 4476 wrote to memory of 1420	4476	omsecor.exe	103
PID 4476 wrote to memory of 1420	4476	omsecor.exe	103
PID 1420 wrote to memory of 3520	1420	omsecor.exe	105
PID 1420 wrote to memory of 3520	1420	omsecor.exe	105
PID 1420 wrote to memory of 3520	1420	omsecor.exe	105
PID 1420 wrote to memory of 3520	1420	omsecor.exe	105
PID 1420 wrote to memory of 3520	1420	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
"C:\Users\Admin\AppData\Local\Temp\12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
  C:\Users\Admin\AppData\Local\Temp\12117f04b48753d9af636c7750a9f6b3cc706ad0dd5146de83655834608e30c8.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 256
        8⤵
        Program crash
        
        PID:2764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 292
        6⤵
        Program crash
        
        PID:684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 300
      4⤵
      Program crash
      PID:2160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 288
  2⤵
  - Program crash
  PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1112 -ip 1112
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4840 -ip 4840
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4044 -ip 4044
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1420 -ip 1420
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
b60e80075a6f2f0fa8f047c66e459c4c

SHA1
5aef00693172ba57f2f6906476cb8179d3ecbf9d

SHA256
403ac8e4973ee34425278db3e65983b5ecd251c3dd498ab9170b49141d5c49e7

SHA512
3a1bbbc7f751b09bad722c35edd13eeffcfe0b09ef27d284863cd2fd684cfdf469d2755dfc859887d5ca49de14ef0d35f922c345dcec9c7e20869f06e6deee0f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
843a4a709342aabf50216665dcc48531

SHA1
4f2dc8ca38eef1e1f309ec8c037bf0ddfaac9a37

SHA256
b329d34342edd452172d9300ee6463f301f42595fbfd7c0238709021742ebec5

SHA512
ef08977959cfe10a51c2db3492d66373eb3fd264c61629f2e4912e0ebef56f6b0e0c46e1b60e71333c0a2a5fadcf1589924b97440fe8c43fab9c3bb944beb2cf

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
d072c272cf5d813395e6fde229f990a4

SHA1
3866db578dee4aa556ebfcbd4624fb3b0f249da5

SHA256
ed8e71203364425596d36c6f053d9d7a5c87d68189889e00d8a2586500e9e793

SHA512
85c00b01e3fe6ef45230d947b9f7349f09b51f095ce5936cab091e1a0555a9d37bb9ac26b32b6fb6086ca1a57e77b4b8387f9b06f44b014e33d68a0580a1a40f

Download Submit
memory/1112-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1112-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1420-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2032-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3520-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3520-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3520-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4044-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4044-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4476-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4476-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4476-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4840-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download