neconyd | d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287b

Analysis

max time kernel
116s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2025, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
Size

134KB
MD5

a5a67f612b5a17a66c725b8269528500
SHA1

be4760955ba37cf1506dbea0fcb47601a8a28e16
SHA256

d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287b
SHA512

420c515f8b90f90b6a0a2845ab173e3298ff8bf248b36abcb61a176bd8ec03d4343f55076a8c1b866f6319004cd5553123a502ffe9cc22e6d8338adcfd00d67d
SSDEEP

1536:MDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiH:yiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Downloads MZ/PE file 1 IoCs

flow	pid	Process
48	4928	Process not Found

Executes dropped EXE 6 IoCs

pid	Process
1460	omsecor.exe
1760	omsecor.exe
1028	omsecor.exe
656	omsecor.exe
4968	omsecor.exe
4468	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4564 set thread context of 1404	4564	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	86
PID 1460 set thread context of 1760	1460	omsecor.exe	90
PID 1028 set thread context of 656	1028	omsecor.exe	106
PID 4968 set thread context of 4468	4968	omsecor.exe	109

Program crash 4 IoCs

pid	pid_target	Process	procid_target
668	1460	WerFault.exe	88
1796	4564	WerFault.exe	85
2584	1028	WerFault.exe	105
2164	4968	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2420	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1404	4564	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	86
PID 4564 wrote to memory of 1404	4564	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	86
PID 4564 wrote to memory of 1404	4564	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	86
PID 4564 wrote to memory of 1404	4564	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	86
PID 4564 wrote to memory of 1404	4564	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	86
PID 1404 wrote to memory of 1460	1404	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	88
PID 1404 wrote to memory of 1460	1404	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	88
PID 1404 wrote to memory of 1460	1404	d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe	88
PID 1460 wrote to memory of 1760	1460	omsecor.exe	90
PID 1460 wrote to memory of 1760	1460	omsecor.exe	90
PID 1460 wrote to memory of 1760	1460	omsecor.exe	90
PID 1460 wrote to memory of 1760	1460	omsecor.exe	90
PID 1460 wrote to memory of 1760	1460	omsecor.exe	90
PID 1760 wrote to memory of 1028	1760	omsecor.exe	105
PID 1760 wrote to memory of 1028	1760	omsecor.exe	105
PID 1760 wrote to memory of 1028	1760	omsecor.exe	105
PID 1028 wrote to memory of 656	1028	omsecor.exe	106
PID 1028 wrote to memory of 656	1028	omsecor.exe	106
PID 1028 wrote to memory of 656	1028	omsecor.exe	106
PID 1028 wrote to memory of 656	1028	omsecor.exe	106
PID 1028 wrote to memory of 656	1028	omsecor.exe	106
PID 656 wrote to memory of 4968	656	omsecor.exe	108
PID 656 wrote to memory of 4968	656	omsecor.exe	108
PID 656 wrote to memory of 4968	656	omsecor.exe	108
PID 4968 wrote to memory of 4468	4968	omsecor.exe	109
PID 4968 wrote to memory of 4468	4968	omsecor.exe	109
PID 4968 wrote to memory of 4468	4968	omsecor.exe	109
PID 4968 wrote to memory of 4468	4968	omsecor.exe	109
PID 4968 wrote to memory of 4468	4968	omsecor.exe	109

C:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
"C:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
  C:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1028
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 268
        8⤵
        Program crash
        
        PID:2164
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 292
        6⤵
        Program crash
        
        PID:2584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 288
      4⤵
      Program crash
      PID:668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 288
  2⤵
  - Program crash
  PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4564 -ip 4564
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1460 -ip 1460
1⤵
PID:1732

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjNCMEJDNzktMkRDMC00QzAwLTg2NDAtOEQ3RjM1QTlCRUM5fSIgdXNlcmlkPSJ7RDFEMkUzRTEtOTIyQy00NEFBLTk5MTAtRTg4MERGQzQ0OUVEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODFENDc1MTUtQzdGNC00QkQ1LTlFMjQtMjM4MDQxRTk2REFBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjM0MjkyNTM2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1028 -ip 1028
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4968 -ip 4968
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
cfc84a3a1501caaa91f7b5b0388eed32

SHA1
7631a1cf9ef4b8879db9f9771a88d48842e39f47

SHA256
92fa58f9c3f31e4056bf4ac78ea3b498aa8016432c8571db4d4b6d859bc6e7b3

SHA512
a6a2685fcd1844c3ca08df59add4a550a1eb0548044ccbd51e6d2c9046f86e3c6b95cda63de64c1f47372e7b3f3fc9e097e698c72bcd0e84740f010f5c0ed548

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
42d9bd64ea09d414dd79cf2c3490f5af

SHA1
0eb3b031246a1032ae48fe22c7e9fc06d321fef9

SHA256
fdd220fcf198c3a9307fe46f60bee0b1574dbc273832c110068e6dac656f0e34

SHA512
2184d765fe48dd35842dfb6c8614478621bb4c9d5e906ce634e72f1310e583b6711264808d1a978a8ce7b2f7b642b9ef19283a1868c5c14e627c916f3aa01b22

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
644a31088d68faa1923954aae56489e7

SHA1
808786a48b2de2fc50c706cb784c8609ef8f8aab

SHA256
f1f7b8f9961d1dba59892f1781b6205d8200a7b64b37e40683d54a34db2d74f3

SHA512
41efa108b9d89ccbe0e665d13ba500b342b1bb9c712b7936f0f5e51e958bfad1a1d8412245445b3aa0d3a68934e5062094413d1cbce70abb01c1fef65ff3e28d

Download Submit
memory/656-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/656-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1028-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1404-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1404-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1404-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1404-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1460-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1460-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1760-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4564-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4564-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4968-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download