neconyd | 2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe
Size

96KB
MD5

a168ebd70238294f0d91e5ef1c4e4471
SHA1

5f651f734419ca1de148859c80df75a2a8a7cb1c
SHA256

2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972
SHA512

5d5bce4400af7e6c2ecd595d0e57d71204aea3803af9e390195a491cb7fce7a2c0ad8147fe444b8ab1fee422474b311cd0395f8ebdb0677c83e0225fe0dc2b58
SSDEEP

1536:8nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxj:8Gs8cd8eXlYairZYqMddH13j

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4744	omsecor.exe
396	omsecor.exe
1620	omsecor.exe
548	omsecor.exe
3752	omsecor.exe
2768	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1844 set thread context of 892	1844	2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe	86
PID 4744 set thread context of 396	4744	omsecor.exe	91
PID 1620 set thread context of 548	1620	omsecor.exe	102
PID 3752 set thread context of 2768	3752	omsecor.exe	106

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3020	1844	WerFault.exe	84
2004	4744	WerFault.exe	89
4704	1620	WerFault.exe	101
2428	3752	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 892	1844	2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe	86
PID 1844 wrote to memory of 892	1844	2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe	86
PID 1844 wrote to memory of 892	1844	2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe	86
PID 1844 wrote to memory of 892	1844	2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe	86
PID 1844 wrote to memory of 892	1844	2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe	86
PID 892 wrote to memory of 4744	892	2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe	89
PID 892 wrote to memory of 4744	892	2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe	89
PID 892 wrote to memory of 4744	892	2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe	89
PID 4744 wrote to memory of 396	4744	omsecor.exe	91
PID 4744 wrote to memory of 396	4744	omsecor.exe	91
PID 4744 wrote to memory of 396	4744	omsecor.exe	91
PID 4744 wrote to memory of 396	4744	omsecor.exe	91
PID 4744 wrote to memory of 396	4744	omsecor.exe	91
PID 396 wrote to memory of 1620	396	omsecor.exe	101
PID 396 wrote to memory of 1620	396	omsecor.exe	101
PID 396 wrote to memory of 1620	396	omsecor.exe	101
PID 1620 wrote to memory of 548	1620	omsecor.exe	102
PID 1620 wrote to memory of 548	1620	omsecor.exe	102
PID 1620 wrote to memory of 548	1620	omsecor.exe	102
PID 1620 wrote to memory of 548	1620	omsecor.exe	102
PID 1620 wrote to memory of 548	1620	omsecor.exe	102
PID 548 wrote to memory of 3752	548	omsecor.exe	104
PID 548 wrote to memory of 3752	548	omsecor.exe	104
PID 548 wrote to memory of 3752	548	omsecor.exe	104
PID 3752 wrote to memory of 2768	3752	omsecor.exe	106
PID 3752 wrote to memory of 2768	3752	omsecor.exe	106
PID 3752 wrote to memory of 2768	3752	omsecor.exe	106
PID 3752 wrote to memory of 2768	3752	omsecor.exe	106
PID 3752 wrote to memory of 2768	3752	omsecor.exe	106

C:\Users\Admin\AppData\Local\Temp\2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe
"C:\Users\Admin\AppData\Local\Temp\2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe
  C:\Users\Admin\AppData\Local\Temp\2feef2302c5948336e9a356ac834185abd392f8001bb8a2422ce0091c3a91972.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 256
        8⤵
        Program crash
        
        PID:2428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 292
        6⤵
        Program crash
        
        PID:4704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 300
      4⤵
      Program crash
      PID:2004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 288
  2⤵
  - Program crash
  PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1844 -ip 1844
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4744 -ip 4744
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1620 -ip 1620
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3752 -ip 3752
1⤵
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
dc20d0ac6d7d106511e3667e57f69aed

SHA1
5227e5ba4e4dce001fd90d2d0d7d38d1e06c48e8

SHA256
cfa05d2751415374db71a8db2394a8ee66275dc73842fc0931a81cc4bcddfd55

SHA512
ef8951b94a0054f410838f3563a3d8c1c188dc3c931e2175b098ef0b61f707ba29220979f98ccc1aeeba0240e44f71e9724e1d27f2de999a06be167060514f31

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
548eb866ff1c8935b43c6da7ffec4de9

SHA1
aa8c89c00796317565940c5bf685dbbd2b93f1e2

SHA256
2d99e85cd5296ad605ab9f4dde3c83e9564453132de8859538bf537df3f59879

SHA512
2a4d3bff6fb6546983eb2753132598c7ab5641f50f28149fa244cd6653a542f4270d5b03324c3d9efbd710c41583ff0629ceeea2e8e5908fae788d094f89e13d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
37d9a1c295e804a504bc3a484ac24ce3

SHA1
554a9ce26369265ce7247b9abbd25f3284d04fec

SHA256
07c541fd74ac39f2013afdd31c211d19c11169c4b529ebbf5b13b19a91f7a2cf

SHA512
a3cd8e3efc41fb75843090232c257d879d41b680af8d6947ce77d22ccfaeb9e81a2ca48ac54feb753a19cf84d57eb1f4f8c18330d50c26b7383188e54a9d24c7

Download Submit
memory/396-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/396-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/396-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/396-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/396-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/396-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/396-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/548-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/548-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/548-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/892-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/892-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/892-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/892-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1620-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1620-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1844-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1844-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2768-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2768-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2768-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3752-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3752-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4744-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4744-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download