neconyd | 4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
Size

96KB
MD5

73d2a65a8acc5264513bc55c9c7a2c8d
SHA1

99dd66e3c2d10fd90729245d0e95040933b5176f
SHA256

4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029
SHA512

f4a9a1ed372c06829cc00aab496aecc47ef7cfdc2ee742276c9ea12b63dcae731983ac1a1cc14e54bafbd81e33f0a680fd9a0730ca4dcc4aafa8bd1c22eda3ae
SSDEEP

1536:RnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:RGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1828	omsecor.exe
2292	omsecor.exe
1060	omsecor.exe
2236	omsecor.exe
4840	omsecor.exe
1528	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 1108	2356	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	83
PID 1828 set thread context of 2292	1828	omsecor.exe	89
PID 1060 set thread context of 2236	1060	omsecor.exe	101
PID 4840 set thread context of 1528	4840	omsecor.exe	105

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4408	2356	WerFault.exe	82
4216	1828	WerFault.exe	86
2164	1060	WerFault.exe	100
3888	4840	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1108	2356	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	83
PID 2356 wrote to memory of 1108	2356	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	83
PID 2356 wrote to memory of 1108	2356	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	83
PID 2356 wrote to memory of 1108	2356	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	83
PID 2356 wrote to memory of 1108	2356	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	83
PID 1108 wrote to memory of 1828	1108	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	86
PID 1108 wrote to memory of 1828	1108	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	86
PID 1108 wrote to memory of 1828	1108	4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe	86
PID 1828 wrote to memory of 2292	1828	omsecor.exe	89
PID 1828 wrote to memory of 2292	1828	omsecor.exe	89
PID 1828 wrote to memory of 2292	1828	omsecor.exe	89
PID 1828 wrote to memory of 2292	1828	omsecor.exe	89
PID 1828 wrote to memory of 2292	1828	omsecor.exe	89
PID 2292 wrote to memory of 1060	2292	omsecor.exe	100
PID 2292 wrote to memory of 1060	2292	omsecor.exe	100
PID 2292 wrote to memory of 1060	2292	omsecor.exe	100
PID 1060 wrote to memory of 2236	1060	omsecor.exe	101
PID 1060 wrote to memory of 2236	1060	omsecor.exe	101
PID 1060 wrote to memory of 2236	1060	omsecor.exe	101
PID 1060 wrote to memory of 2236	1060	omsecor.exe	101
PID 1060 wrote to memory of 2236	1060	omsecor.exe	101
PID 2236 wrote to memory of 4840	2236	omsecor.exe	103
PID 2236 wrote to memory of 4840	2236	omsecor.exe	103
PID 2236 wrote to memory of 4840	2236	omsecor.exe	103
PID 4840 wrote to memory of 1528	4840	omsecor.exe	105
PID 4840 wrote to memory of 1528	4840	omsecor.exe	105
PID 4840 wrote to memory of 1528	4840	omsecor.exe	105
PID 4840 wrote to memory of 1528	4840	omsecor.exe	105
PID 4840 wrote to memory of 1528	4840	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
"C:\Users\Admin\AppData\Local\Temp\4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
  C:\Users\Admin\AppData\Local\Temp\4fb4ecdffe56a2a5f67e05ff50df0bf6cd4461fd8744a9ed1af8cc9114588029.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 256
        8⤵
        Program crash
        
        PID:3888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 292
        6⤵
        Program crash
        
        PID:2164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 288
      4⤵
      Program crash
      PID:4216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 288
  2⤵
  - Program crash
  PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2356 -ip 2356
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1828 -ip 1828
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1060 -ip 1060
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4840 -ip 4840
1⤵
PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
48ddf42ee248636cfced720855c498ce

SHA1
c5f681203915e7e8528449ce87748ffae80b6b3e

SHA256
c0944b7a44a5a1b4269937fc3869bdd10c06df72a5c89e36f860460feeb51329

SHA512
08e4e1f18723280c275ad56a5e2f4fe9e3ef2cbb947e93aa98bab30f613f1494869920a13cdb60dfbe49f12fcb3d06137ab61000f7c0e2dfbae0fdc5e3e9a8cc

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
000d160fc64957a0d342ffdc4d30fc33

SHA1
2666fe9be10183987b424dfb4f28478a0edcd1ef

SHA256
a3352411ccfcfddbe4404350dd90d438e926603cb099a7933ce0ca083e470b62

SHA512
4fbae7fbe6642edd8f2408d60878be861f086e1290c06feb0f7d62b347f592ac8de803ca06b5f77af412dbf07a3cc41ca7b95569b1df8c6cd707f124b1f98409

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
34e7042597c253343aa1465c568cdba9

SHA1
2d6fd273b65508fc6d05ce3615cbc3738cb5ad5d

SHA256
d86cdc3d5e1b781a289b3c803acd3f9e264084814ae951fd74ac10d999d93eca

SHA512
c3b563ae5bb5fbae74e1d4ba872af0a99ac9442f0bed24de9183abb63e7ef910bf0af6af6bcec55a97a71426175e0bf3599da4091cd5131572303467aa87845d

Download Submit
memory/1060-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1060-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1108-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1108-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1108-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1108-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1528-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1528-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1528-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1528-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1828-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1828-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2236-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2292-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2356-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2356-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4840-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4840-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download