neconyd | 052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2025, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe
Size

96KB
MD5

0fdf818495b6ebbd1f420d0a39bbea90
SHA1

e34e419636e4c676f3d5e428117ada6f33ed6fe3
SHA256

052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378
SHA512

4404fc8bf055e631d5a48f49ead963d7802adc05092ce408a5d635ed68ae270b6f33a74f081d2521a1f24c9c87d73d5a60e1cf700d594952df51ff49e7d07bfc
SSDEEP

1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:UGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1052	omsecor.exe
3844	omsecor.exe
4520	omsecor.exe
4844	omsecor.exe
4484	omsecor.exe
4572	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 3400	2716	052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe	84
PID 1052 set thread context of 3844	1052	omsecor.exe	89
PID 4520 set thread context of 4844	4520	omsecor.exe	113
PID 4484 set thread context of 4572	4484	omsecor.exe	117

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1492	2716	WerFault.exe	83
4008	1052	WerFault.exe	86
4052	4520	WerFault.exe	112
5048	4484	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3400	2716	052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe	84
PID 2716 wrote to memory of 3400	2716	052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe	84
PID 2716 wrote to memory of 3400	2716	052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe	84
PID 2716 wrote to memory of 3400	2716	052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe	84
PID 2716 wrote to memory of 3400	2716	052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe	84
PID 3400 wrote to memory of 1052	3400	052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe	86
PID 3400 wrote to memory of 1052	3400	052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe	86
PID 3400 wrote to memory of 1052	3400	052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe	86
PID 1052 wrote to memory of 3844	1052	omsecor.exe	89
PID 1052 wrote to memory of 3844	1052	omsecor.exe	89
PID 1052 wrote to memory of 3844	1052	omsecor.exe	89
PID 1052 wrote to memory of 3844	1052	omsecor.exe	89
PID 1052 wrote to memory of 3844	1052	omsecor.exe	89
PID 3844 wrote to memory of 4520	3844	omsecor.exe	112
PID 3844 wrote to memory of 4520	3844	omsecor.exe	112
PID 3844 wrote to memory of 4520	3844	omsecor.exe	112
PID 4520 wrote to memory of 4844	4520	omsecor.exe	113
PID 4520 wrote to memory of 4844	4520	omsecor.exe	113
PID 4520 wrote to memory of 4844	4520	omsecor.exe	113
PID 4520 wrote to memory of 4844	4520	omsecor.exe	113
PID 4520 wrote to memory of 4844	4520	omsecor.exe	113
PID 4844 wrote to memory of 4484	4844	omsecor.exe	115
PID 4844 wrote to memory of 4484	4844	omsecor.exe	115
PID 4844 wrote to memory of 4484	4844	omsecor.exe	115
PID 4484 wrote to memory of 4572	4484	omsecor.exe	117
PID 4484 wrote to memory of 4572	4484	omsecor.exe	117
PID 4484 wrote to memory of 4572	4484	omsecor.exe	117
PID 4484 wrote to memory of 4572	4484	omsecor.exe	117
PID 4484 wrote to memory of 4572	4484	omsecor.exe	117

C:\Users\Admin\AppData\Local\Temp\052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe
"C:\Users\Admin\AppData\Local\Temp\052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe
  C:\Users\Admin\AppData\Local\Temp\052350175d35af53d6a327d3defe85cc79ad2c4fcaa51e7044098e3d271cf378N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4520
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 256
        8⤵
        Program crash
        
        PID:5048
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 292
        6⤵
        Program crash
        
        PID:4052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 300
      4⤵
      Program crash
      PID:4008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 300
  2⤵
  - Program crash
  PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2716 -ip 2716
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1052 -ip 1052
1⤵
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4520 -ip 4520
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4484 -ip 4484
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4c7de0c04382163779faa492d44c5d7b

SHA1
d158bb0ac695701bd4d3d7874b78e805574980e4

SHA256
ee874732f7a2a14c5b8bb4fc7be2896650e5f1152d49a956e32fe102270b3539

SHA512
4c96d17b752a2e218a85ee7d46d7e424a660b5a85a8388042a5de824b8985f199ab1141e3c120d0fd92962a084b1d57c322d8d35c68a0dae45caa20f4488fcdc

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
995a43bf4a515a4d9ce8609966bff728

SHA1
372941fa97c44c1857407f41d8fad3726923efd4

SHA256
09bc668a71ec72afa815776c8fa6ef5c7c84c4b3a1aad8fa27bb9fcb7d25443c

SHA512
1a4a2bc05298c4856675795d8e157fcb4ac59e21720be781e90b5c5793ce2040c4cd2694562a88b8167f6f450c20a9455428acd38b95aaea7f19da375754c0fe

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
31f08bb516cf966384f3e349450f0ef6

SHA1
f1d08995dbc71777734a7062fb2942f2642848de

SHA256
a3995713f038a801e4b755a138fd457b2ff27c066ba71b361e17da52a19db4c3

SHA512
61ef53c03332283b1703446971edf45b98bf5424c5af23755c0d63d67f461e760178b41e2c91806e68398c367a7d3be45346353d2156d84808ccab55ffd1c9bb

Download Submit
memory/1052-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2716-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2716-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3400-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3844-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3844-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3844-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3844-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3844-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3844-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3844-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4484-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4520-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4520-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4572-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4572-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4572-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4844-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4844-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4844-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download