neconyd | 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2025, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
Size

96KB
MD5

7445cb0dd8dc1d4cabd9881969898b10
SHA1

b20ce716443b39f6bad665db6578fe6d9cb371be
SHA256

0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9
SHA512

61383698992e232ab3d95402a14b4b3c32de2ceec71a6863d04a064e05c59994a9783373ffb138154f12caded8809cc8ab372eb8c961c83e2d6649fc64744b95
SSDEEP

1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:zGs8cd8eXlYairZYqMddH13p

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
5076	omsecor.exe
1076	omsecor.exe
616	omsecor.exe
3044	omsecor.exe
4520	omsecor.exe
768	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1384 set thread context of 3112	1384	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	85
PID 5076 set thread context of 1076	5076	omsecor.exe	89
PID 616 set thread context of 3044	616	omsecor.exe	101
PID 4520 set thread context of 768	4520	omsecor.exe	105

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1700	5076	WerFault.exe	88
4112	1384	WerFault.exe	84
1620	616	WerFault.exe	100
1064	4520	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 3112	1384	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	85
PID 1384 wrote to memory of 3112	1384	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	85
PID 1384 wrote to memory of 3112	1384	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	85
PID 1384 wrote to memory of 3112	1384	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	85
PID 1384 wrote to memory of 3112	1384	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	85
PID 3112 wrote to memory of 5076	3112	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	88
PID 3112 wrote to memory of 5076	3112	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	88
PID 3112 wrote to memory of 5076	3112	0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe	88
PID 5076 wrote to memory of 1076	5076	omsecor.exe	89
PID 5076 wrote to memory of 1076	5076	omsecor.exe	89
PID 5076 wrote to memory of 1076	5076	omsecor.exe	89
PID 5076 wrote to memory of 1076	5076	omsecor.exe	89
PID 5076 wrote to memory of 1076	5076	omsecor.exe	89
PID 1076 wrote to memory of 616	1076	omsecor.exe	100
PID 1076 wrote to memory of 616	1076	omsecor.exe	100
PID 1076 wrote to memory of 616	1076	omsecor.exe	100
PID 616 wrote to memory of 3044	616	omsecor.exe	101
PID 616 wrote to memory of 3044	616	omsecor.exe	101
PID 616 wrote to memory of 3044	616	omsecor.exe	101
PID 616 wrote to memory of 3044	616	omsecor.exe	101
PID 616 wrote to memory of 3044	616	omsecor.exe	101
PID 3044 wrote to memory of 4520	3044	omsecor.exe	103
PID 3044 wrote to memory of 4520	3044	omsecor.exe	103
PID 3044 wrote to memory of 4520	3044	omsecor.exe	103
PID 4520 wrote to memory of 768	4520	omsecor.exe	105
PID 4520 wrote to memory of 768	4520	omsecor.exe	105
PID 4520 wrote to memory of 768	4520	omsecor.exe	105
PID 4520 wrote to memory of 768	4520	omsecor.exe	105
PID 4520 wrote to memory of 768	4520	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
"C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
  C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:616
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 256
        8⤵
        Program crash
        
        PID:1064
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 296
        6⤵
        Program crash
        
        PID:1620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 272
      4⤵
      Program crash
      PID:1700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 300
  2⤵
  - Program crash
  PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1384 -ip 1384
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5076 -ip 5076
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 616 -ip 616
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4520 -ip 4520
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3ecf227d50109f374225f909f705e9bc

SHA1
458cccab2e5ff2bfca3b98b64cf61f3ebb90a8c4

SHA256
7de87bc37afdf859278a2bad190a905cdbb3858787788971ecbb8ccfcd82fb15

SHA512
8ab66b6372f653cb4e03e2c4927719f99707bac4882a7f5918a82b247e523cc313835b1b618faa440b9be69d002a020ef39a3f4d84a542df22cb563e256ac186

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
793324b8a0328d0e7ce10a5c8e0eec1d

SHA1
20d0b2b7c25d1efc31e74a4f13e47a291b02dec9

SHA256
37b2056619bff4f80a28ac23c48e70ae5796d36718327449ff4785f6063c7ebe

SHA512
d516866ed52983584bd6e80c1e6ba8a4a3017aadce1bdfc6e6adc8ee4c63291f29a30b2a11d6a7406767765950718081382af45bb2265f59e086aab676a03ba0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
747bc807c0a8c056765310b6a9dfb909

SHA1
e1ee451ddb8aceed5ab170097bfb3c51ae47afbc

SHA256
92c5e4df8b8690f5365febf3e6b6889dfa4a0edbca160ccbdb645ae42c42ac40

SHA512
88f1f3e79ab8ad1dbf2915434a75f2d574ff41c1b42682edb43f186ae35aa1d08d569b1656fd1f3f61f62cf1cb879fe3d7395f481f2c54a46246a85095a0866e

Download Submit
memory/616-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/616-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/768-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1384-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1384-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3044-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3044-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3044-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3112-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3112-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3112-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3112-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4520-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4520-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5076-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5076-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download