neconyd | 2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
Size

134KB
MD5

fa495b1e5ff529bc17284855a046deea
SHA1

3da744e498994df1280c111c8f6aa9a9ccc8cb4e
SHA256

2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74
SHA512

509ceeab9958a0394bec6476ec1f41ad99b1120bbdf90081d0c551a52040506ce72a18632091be1682eade119f7c4258c468e29428d4182c2d7cd7a037ae1450
SSDEEP

1536:tDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:9iRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2752	omsecor.exe
2232	omsecor.exe
3400	omsecor.exe
3656	omsecor.exe
3412	omsecor.exe
4008	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 5100	2220	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	83
PID 2752 set thread context of 2232	2752	omsecor.exe	87
PID 3400 set thread context of 3656	3400	omsecor.exe	100
PID 3412 set thread context of 4008	3412	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
384	2220	WerFault.exe	82
1424	2752	WerFault.exe	86
4928	3400	WerFault.exe	99
5072	3412	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 5100	2220	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	83
PID 2220 wrote to memory of 5100	2220	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	83
PID 2220 wrote to memory of 5100	2220	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	83
PID 2220 wrote to memory of 5100	2220	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	83
PID 2220 wrote to memory of 5100	2220	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	83
PID 5100 wrote to memory of 2752	5100	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	86
PID 5100 wrote to memory of 2752	5100	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	86
PID 5100 wrote to memory of 2752	5100	2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe	86
PID 2752 wrote to memory of 2232	2752	omsecor.exe	87
PID 2752 wrote to memory of 2232	2752	omsecor.exe	87
PID 2752 wrote to memory of 2232	2752	omsecor.exe	87
PID 2752 wrote to memory of 2232	2752	omsecor.exe	87
PID 2752 wrote to memory of 2232	2752	omsecor.exe	87
PID 2232 wrote to memory of 3400	2232	omsecor.exe	99
PID 2232 wrote to memory of 3400	2232	omsecor.exe	99
PID 2232 wrote to memory of 3400	2232	omsecor.exe	99
PID 3400 wrote to memory of 3656	3400	omsecor.exe	100
PID 3400 wrote to memory of 3656	3400	omsecor.exe	100
PID 3400 wrote to memory of 3656	3400	omsecor.exe	100
PID 3400 wrote to memory of 3656	3400	omsecor.exe	100
PID 3400 wrote to memory of 3656	3400	omsecor.exe	100
PID 3656 wrote to memory of 3412	3656	omsecor.exe	102
PID 3656 wrote to memory of 3412	3656	omsecor.exe	102
PID 3656 wrote to memory of 3412	3656	omsecor.exe	102
PID 3412 wrote to memory of 4008	3412	omsecor.exe	103
PID 3412 wrote to memory of 4008	3412	omsecor.exe	103
PID 3412 wrote to memory of 4008	3412	omsecor.exe	103
PID 3412 wrote to memory of 4008	3412	omsecor.exe	103
PID 3412 wrote to memory of 4008	3412	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
"C:\Users\Admin\AppData\Local\Temp\2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
  C:\Users\Admin\AppData\Local\Temp\2b3c58de317edf4f288967b96f05eed279c862adaa73f31540de18ad3b33ab74.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3400
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 268
        8⤵
        Program crash
        
        PID:5072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 292
        6⤵
        Program crash
        
        PID:4928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 300
      4⤵
      Program crash
      PID:1424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 288
  2⤵
  - Program crash
  PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2220 -ip 2220
1⤵
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2752 -ip 2752
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3400 -ip 3400
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3412 -ip 3412
1⤵
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9052c2fb5013a3c7bfe8075e79c29e5f

SHA1
a43d6735cd984b143f9f62cd160f53ed4e005531

SHA256
ba85fa5eb37215e878df6fe4fdbbef31271ce710ca4c471f8486002411cf20f6

SHA512
1205b102530a9323dfd52cf52b2423b6a1b5f07a1339e4d6e933d4c23af585527a54a0e10120476d39e76fc19bb68e753db66236cb76d2d7fcc4bb83b4652c15

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
3b2a252bd5db7501a9fd255a5a9ed6f9

SHA1
a8064e473449cf12913f3d501f3f6e03d78adefd

SHA256
ed90f43bc4f1cb73bad1d9b396465f84ffe8110ae645a7dbe4c7e6e244909abf

SHA512
658d0129555066b4b7f1e12adf14a1afb3f3f85d99dc71111a1f39453dab830b863487efa39031b5dffb3efcdb4be577c3b28b163d60cb2f91271e6f2feb6ca0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
2e56aef52a356a826fe9c2b7ae40863e

SHA1
a6711d3e19ac9d09bb18f07c358fe452d8aa914a

SHA256
791e8f0cfe949125f83a4e4d50c490c4dea8a1d008509550527e0d5691ad06e8

SHA512
bf440e7ae2eef533dcc247420e2d7ab03d0ec83f0a76ef6311fd9adb4b82ae65cae4972b5b76205656b6591834b979f57233a6410de3b92227a95ebef62706ac

Download Submit
memory/2220-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2220-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2232-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2752-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2752-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3400-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3412-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3656-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3656-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3656-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4008-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4008-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4008-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4008-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5100-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5100-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5100-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5100-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download