neconyd | b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
Size

96KB
MD5

5660f5cb7b91cea1ede70afff53730ee
SHA1

d07850e367820b066ab16efd1227bef7720b8543
SHA256

b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb
SHA512

8e54277ad848011b38a3312fa44b161fc03c771cab22b65f5ed6d66e6bce63da4c70ca94c81df3dec155524b446d51bcf58395526c7c53338f213f302483d4b3
SSDEEP

1536:KnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:KGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1144	omsecor.exe
3348	omsecor.exe
4144	omsecor.exe
892	omsecor.exe
3940	omsecor.exe
4820	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3584 set thread context of 4680	3584	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	84
PID 1144 set thread context of 3348	1144	omsecor.exe	88
PID 4144 set thread context of 892	4144	omsecor.exe	101
PID 3940 set thread context of 4820	3940	omsecor.exe	105

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1444	3584	WerFault.exe	82
3528	1144	WerFault.exe	86
3936	4144	WerFault.exe	100
3904	3940	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 4680	3584	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	84
PID 3584 wrote to memory of 4680	3584	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	84
PID 3584 wrote to memory of 4680	3584	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	84
PID 3584 wrote to memory of 4680	3584	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	84
PID 3584 wrote to memory of 4680	3584	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	84
PID 4680 wrote to memory of 1144	4680	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	86
PID 4680 wrote to memory of 1144	4680	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	86
PID 4680 wrote to memory of 1144	4680	b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe	86
PID 1144 wrote to memory of 3348	1144	omsecor.exe	88
PID 1144 wrote to memory of 3348	1144	omsecor.exe	88
PID 1144 wrote to memory of 3348	1144	omsecor.exe	88
PID 1144 wrote to memory of 3348	1144	omsecor.exe	88
PID 1144 wrote to memory of 3348	1144	omsecor.exe	88
PID 3348 wrote to memory of 4144	3348	omsecor.exe	100
PID 3348 wrote to memory of 4144	3348	omsecor.exe	100
PID 3348 wrote to memory of 4144	3348	omsecor.exe	100
PID 4144 wrote to memory of 892	4144	omsecor.exe	101
PID 4144 wrote to memory of 892	4144	omsecor.exe	101
PID 4144 wrote to memory of 892	4144	omsecor.exe	101
PID 4144 wrote to memory of 892	4144	omsecor.exe	101
PID 4144 wrote to memory of 892	4144	omsecor.exe	101
PID 892 wrote to memory of 3940	892	omsecor.exe	103
PID 892 wrote to memory of 3940	892	omsecor.exe	103
PID 892 wrote to memory of 3940	892	omsecor.exe	103
PID 3940 wrote to memory of 4820	3940	omsecor.exe	105
PID 3940 wrote to memory of 4820	3940	omsecor.exe	105
PID 3940 wrote to memory of 4820	3940	omsecor.exe	105
PID 3940 wrote to memory of 4820	3940	omsecor.exe	105
PID 3940 wrote to memory of 4820	3940	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
"C:\Users\Admin\AppData\Local\Temp\b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
  C:\Users\Admin\AppData\Local\Temp\b85eebac4de12252d44d65df86992eb43b17c140f36b22c0318b1737111b02eb.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3348
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 256
        8⤵
        Program crash
        
        PID:3904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 292
        6⤵
        Program crash
        
        PID:3936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 288
      4⤵
      Program crash
      PID:3528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 288
  2⤵
  - Program crash
  PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3584 -ip 3584
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1144 -ip 1144
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4144 -ip 4144
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3940 -ip 3940
1⤵
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
99b114e0a2dca90c42c4f21db2bb724f

SHA1
55a9babef461ee4742a8a508f8d6b2592dda43b1

SHA256
6f5b3d7daaea00aae60742bf8e1409b7f5524ac0c9f36595cf4570c55cb61d67

SHA512
53c16220053fa2c9c9aad0a795883f7c843427373f70b1ebfbc6e22a1cecb33d44661b1cedce933bfe2531c5f789da47630dc32f802634b84a86a16ee1a38741

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0c21890a444bf9423cbdefee56a39d30

SHA1
038dce0e097a67a5e0bd14f70af5b5fdaba6b4ba

SHA256
6c01ca205bc0b7d8cef5284c9f2393966e7411c28e6080c6f4e8fd7607016923

SHA512
68a8c2004077c23dad5d3b07974afed1cd4203198ee78a8b3d755a579358d2fcdf6128beb59d505277c516bedb39b0fdc84d16e18ceab3893b64fbe03011653e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d909a0d911dad52c883c3ba4d7795c85

SHA1
86e210d73f3be42e2c8723424c2485a39d2ce0ad

SHA256
6c50a2d92ba61f26b4d8c8c236989827e8f8d0f3e49ba03002874e4525933bd0

SHA512
2f3d22788135a3774285c292089ed4c61950a2a085580d02c2d00b7e962820a28d279301974607018cc737591e3ef3840ddfdbeb1c21d465654773fb16ff6c98

Download Submit
memory/892-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/892-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/892-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1144-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1144-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3348-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3348-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3348-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3348-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3348-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3348-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3348-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3584-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3584-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3940-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3940-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4144-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4144-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4680-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4680-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4680-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4680-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download