neconyd | 61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2025, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
Size

96KB
MD5

af489875957b7980de9e7b9e657c6c20
SHA1

6e7dd8707e18624e41a4d2f57da6d905d940c970
SHA256

61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2
SHA512

e453687d958a9895b6f82bc221ff5ac7346c2a5175003c213d561a2306995e16a45b6ca2b282807a717abe4dd7ac749b262f73346157400f25d07a30cd38d72a
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:OGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
428	omsecor.exe
4496	omsecor.exe
4636	omsecor.exe
2260	omsecor.exe
4300	omsecor.exe
3564	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 4788	5048	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	85
PID 428 set thread context of 4496	428	omsecor.exe	91
PID 4636 set thread context of 2260	4636	omsecor.exe	110
PID 4300 set thread context of 3564	4300	omsecor.exe	114

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1772	5048	WerFault.exe
5008	428	WerFault.exe
2108	4636	WerFault.exe	109
3272	4300	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4788	5048	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	85
PID 5048 wrote to memory of 4788	5048	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	85
PID 5048 wrote to memory of 4788	5048	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	85
PID 5048 wrote to memory of 4788	5048	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	85
PID 5048 wrote to memory of 4788	5048	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	85
PID 4788 wrote to memory of 428	4788	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	89
PID 4788 wrote to memory of 428	4788	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	89
PID 4788 wrote to memory of 428	4788	61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe	89
PID 428 wrote to memory of 4496	428	omsecor.exe	91
PID 428 wrote to memory of 4496	428	omsecor.exe	91
PID 428 wrote to memory of 4496	428	omsecor.exe	91
PID 428 wrote to memory of 4496	428	omsecor.exe	91
PID 428 wrote to memory of 4496	428	omsecor.exe	91
PID 4496 wrote to memory of 4636	4496	omsecor.exe	109
PID 4496 wrote to memory of 4636	4496	omsecor.exe	109
PID 4496 wrote to memory of 4636	4496	omsecor.exe	109
PID 4636 wrote to memory of 2260	4636	omsecor.exe	110
PID 4636 wrote to memory of 2260	4636	omsecor.exe	110
PID 4636 wrote to memory of 2260	4636	omsecor.exe	110
PID 4636 wrote to memory of 2260	4636	omsecor.exe	110
PID 4636 wrote to memory of 2260	4636	omsecor.exe	110
PID 2260 wrote to memory of 4300	2260	omsecor.exe	112
PID 2260 wrote to memory of 4300	2260	omsecor.exe	112
PID 2260 wrote to memory of 4300	2260	omsecor.exe	112
PID 4300 wrote to memory of 3564	4300	omsecor.exe	114
PID 4300 wrote to memory of 3564	4300	omsecor.exe	114
PID 4300 wrote to memory of 3564	4300	omsecor.exe	114
PID 4300 wrote to memory of 3564	4300	omsecor.exe	114
PID 4300 wrote to memory of 3564	4300	omsecor.exe	114

C:\Users\Admin\AppData\Local\Temp\61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
"C:\Users\Admin\AppData\Local\Temp\61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
  C:\Users\Admin\AppData\Local\Temp\61e75d951ba642fc057bb7b0b97fa0f4a63fe6dfb277080b33b1209048cc6dc2N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 244
        8⤵
        Program crash
        
        PID:3272
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 292
        6⤵
        Program crash
        
        PID:2108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 288
      4⤵
      Program crash
      PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 292
  2⤵
  - Program crash
  PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5048 -ip 5048
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 428 -ip 428
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4636 -ip 4636
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4300 -ip 4300
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
27f12c55f5c045eb25f507b398f93861

SHA1
0a2254f9e1b26b824695ed0c4da2846133265773

SHA256
37b2787fddca3cd83baea306d2b3b77be0ee00f670070dd09b8a8bc2e5b0da62

SHA512
8d87e78bff96014a5ec8c7587e4b13a251295816099987ee0b91c1eca7dfad647c6957e082103c6cd8056e8885f891e58b642e8851ca76a3da5904570b2a9c42

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
eae95d5004013b62c953c44d479c3c21

SHA1
b1f9f15ab9c5bee7dedd7e567faa24a0aada7629

SHA256
ebc820e0155900005907e9acedc3d8db1ab2d583beae9baded8fb4014236ff01

SHA512
4a255e49bc70002baead4c85831ca056cf6548e89f54f96f910310707a1ececb6d0d89e3cb487febbb30550582d10fb4a6f9bfa7b5a94456a3ff62a5ee2791fd

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
60ed70f48c2d40508e3665ccdce2422d

SHA1
3df202c2c28a9156e89ea47d56e34b87b94982ba

SHA256
cbfb4c9544d8ced24e10fe0693afaae8ee20106eebc09f70ab534d3b62b114b6

SHA512
27fdf003644ce7759f40c4aa9e4549b2c5d23b0af5bc30cc066c993ac68dc6d8b1713bb34cb5331c7e9e56313b2fcf18944f3092fb5aa9daf6dbf0637b69a64a

Download Submit
memory/428-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/428-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2260-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3564-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3564-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3564-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4300-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4300-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4496-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4636-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4636-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4788-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4788-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4788-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4788-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5048-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download