neconyd | ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2f

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe
Size

96KB
MD5

be2151ab0a35c54a3e6cbd72d9c6f5e0
SHA1

2841882d71adcf31701c778c43d47c558ee7c266
SHA256

ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2f
SHA512

6375ea85905f966b83064da626262af86984357608cef45afc9caa420d2695d43a7738cb30e706173277bcf3a9502a2656b81f7837a0d610b40c6020bd3374ca
SSDEEP

1536:pnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:pGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1496	omsecor.exe
4048	omsecor.exe
3556	omsecor.exe
3728	omsecor.exe
4440	omsecor.exe
2368	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3532 set thread context of 1268	3532	ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe	83
PID 1496 set thread context of 4048	1496	omsecor.exe	89
PID 3556 set thread context of 3728	3556	omsecor.exe	101
PID 4440 set thread context of 2368	4440	omsecor.exe	105

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3460	3532	WerFault.exe	82
412	1496	WerFault.exe	86
2820	3556	WerFault.exe	100
1960	4440	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 1268	3532	ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe	83
PID 3532 wrote to memory of 1268	3532	ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe	83
PID 3532 wrote to memory of 1268	3532	ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe	83
PID 3532 wrote to memory of 1268	3532	ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe	83
PID 3532 wrote to memory of 1268	3532	ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe	83
PID 1268 wrote to memory of 1496	1268	ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe	86
PID 1268 wrote to memory of 1496	1268	ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe	86
PID 1268 wrote to memory of 1496	1268	ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe	86
PID 1496 wrote to memory of 4048	1496	omsecor.exe	89
PID 1496 wrote to memory of 4048	1496	omsecor.exe	89
PID 1496 wrote to memory of 4048	1496	omsecor.exe	89
PID 1496 wrote to memory of 4048	1496	omsecor.exe	89
PID 1496 wrote to memory of 4048	1496	omsecor.exe	89
PID 4048 wrote to memory of 3556	4048	omsecor.exe	100
PID 4048 wrote to memory of 3556	4048	omsecor.exe	100
PID 4048 wrote to memory of 3556	4048	omsecor.exe	100
PID 3556 wrote to memory of 3728	3556	omsecor.exe	101
PID 3556 wrote to memory of 3728	3556	omsecor.exe	101
PID 3556 wrote to memory of 3728	3556	omsecor.exe	101
PID 3556 wrote to memory of 3728	3556	omsecor.exe	101
PID 3556 wrote to memory of 3728	3556	omsecor.exe	101
PID 3728 wrote to memory of 4440	3728	omsecor.exe	103
PID 3728 wrote to memory of 4440	3728	omsecor.exe	103
PID 3728 wrote to memory of 4440	3728	omsecor.exe	103
PID 4440 wrote to memory of 2368	4440	omsecor.exe	105
PID 4440 wrote to memory of 2368	4440	omsecor.exe	105
PID 4440 wrote to memory of 2368	4440	omsecor.exe	105
PID 4440 wrote to memory of 2368	4440	omsecor.exe	105
PID 4440 wrote to memory of 2368	4440	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe
"C:\Users\Admin\AppData\Local\Temp\ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe
  C:\Users\Admin\AppData\Local\Temp\ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3556
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 256
        8⤵
        Program crash
        
        PID:1960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 292
        6⤵
        Program crash
        
        PID:2820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 288
      4⤵
      Program crash
      PID:412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 288
  2⤵
  - Program crash
  PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3532 -ip 3532
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1496 -ip 1496
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3556 -ip 3556
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4440 -ip 4440
1⤵
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5875ca462cbfe00a32aee8e15bf31ae6

SHA1
3b67402bd2022bbd7889b3c1a6c24a42053a39df

SHA256
f4c3a7b5cedbe4c16690bf90454c95108176cd8138159435a0c0a60a3e8050a0

SHA512
54c7769a99eb6fdfe3aa6f31eb78ec9d73b1326285b8501591fd3c31b021587521087a46a1d83160d1a97c6def223f0f47f440e35e3644d337f6a10798f4d5ae

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
01160e990d37e0e039054cd476af4b79

SHA1
c98ffa395feeee48c0d1fb40cbb5390445d189c0

SHA256
1df4acebc81143e58a1e8df421371bd1edb43a97e22c450ac12f73a0bfe8df18

SHA512
7518c1b080aab03dde1799b48fd2d89940a5000c37379c7aa47c85c4be92c2f6d5d79583d916edbd676321e6b5136934463fd1fedf280fa47cab7cf61ad07010

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b22454ea0dceba75ec647dce24637c97

SHA1
19c441ec016095b748c8261d118fc4a374f0f2f7

SHA256
9a75cb4723aa082ff2a424af146cc20d24aee50257cd1d2002f591b58d307df0

SHA512
635755951a98efbfca6233b8d7de1d48e98f5135ce0147cb480067a5089d13df832f0dd0500d3554e9b665f6cbbeea95c59d76324f1bedca7b2317456c65fb5e

Download Submit
memory/1268-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1268-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1268-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1268-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1496-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2368-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3532-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3532-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3556-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3556-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3728-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3728-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3728-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4048-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4048-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4048-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4048-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4048-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4048-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4048-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-42-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download