neconyd | 4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe
Size

96KB
MD5

396e47fc5dbbce9771dd3775523d0c1c
SHA1

48a4015e038bbd575f3ed78d275053e2181b7d9f
SHA256

4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78
SHA512

f9ccadfa8a3aa606798dd265150cd2cd001ec5211e390626b84f3f6876236427cf42b9526c9383c13f1a8ccddb1f13ead46aeff3b1339b5678adaeb680f8c5fd
SSDEEP

1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:JGs8cd8eXlYairZYqMddH13R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1224	omsecor.exe
1852	omsecor.exe
1216	omsecor.exe
1308	omsecor.exe
4304	omsecor.exe
1592	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3776 set thread context of 3928	3776	4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe	83
PID 1224 set thread context of 1852	1224	omsecor.exe	88
PID 1216 set thread context of 1308	1216	omsecor.exe	113
PID 4304 set thread context of 1592	4304	omsecor.exe	117

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4088	3776	WerFault.exe	82
1644	1224	WerFault.exe	86
1644	1216	WerFault.exe	112
640	4304	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 3928	3776	4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe	83
PID 3776 wrote to memory of 3928	3776	4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe	83
PID 3776 wrote to memory of 3928	3776	4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe	83
PID 3776 wrote to memory of 3928	3776	4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe	83
PID 3776 wrote to memory of 3928	3776	4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe	83
PID 3928 wrote to memory of 1224	3928	4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe	86
PID 3928 wrote to memory of 1224	3928	4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe	86
PID 3928 wrote to memory of 1224	3928	4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe	86
PID 1224 wrote to memory of 1852	1224	omsecor.exe	88
PID 1224 wrote to memory of 1852	1224	omsecor.exe	88
PID 1224 wrote to memory of 1852	1224	omsecor.exe	88
PID 1224 wrote to memory of 1852	1224	omsecor.exe	88
PID 1224 wrote to memory of 1852	1224	omsecor.exe	88
PID 1852 wrote to memory of 1216	1852	omsecor.exe	112
PID 1852 wrote to memory of 1216	1852	omsecor.exe	112
PID 1852 wrote to memory of 1216	1852	omsecor.exe	112
PID 1216 wrote to memory of 1308	1216	omsecor.exe	113
PID 1216 wrote to memory of 1308	1216	omsecor.exe	113
PID 1216 wrote to memory of 1308	1216	omsecor.exe	113
PID 1216 wrote to memory of 1308	1216	omsecor.exe	113
PID 1216 wrote to memory of 1308	1216	omsecor.exe	113
PID 1308 wrote to memory of 4304	1308	omsecor.exe	115
PID 1308 wrote to memory of 4304	1308	omsecor.exe	115
PID 1308 wrote to memory of 4304	1308	omsecor.exe	115
PID 4304 wrote to memory of 1592	4304	omsecor.exe	117
PID 4304 wrote to memory of 1592	4304	omsecor.exe	117
PID 4304 wrote to memory of 1592	4304	omsecor.exe	117
PID 4304 wrote to memory of 1592	4304	omsecor.exe	117
PID 4304 wrote to memory of 1592	4304	omsecor.exe	117

C:\Users\Admin\AppData\Local\Temp\4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe
"C:\Users\Admin\AppData\Local\Temp\4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Users\Admin\AppData\Local\Temp\4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe
  C:\Users\Admin\AppData\Local\Temp\4d903b2dd7a4768a983bad3b1a0ed133bf9fcd4edac3d64a332a506fa8e5aa78.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1216
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 268
        8⤵
        Program crash
        
        PID:640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 292
        6⤵
        Program crash
        
        PID:1644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 300
      4⤵
      Program crash
      PID:1644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 288
  2⤵
  - Program crash
  PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3776 -ip 3776
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1224 -ip 1224
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1216 -ip 1216
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4304 -ip 4304
1⤵
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
60b0356b7f63d1e5bf6cf9bf32217f9a

SHA1
bc0123d0d5cd7799f72e50d5808e7af4db6913a4

SHA256
e834af9ba61a2762ebc709ff2823bbfb0cd0db1b2d384bdb84a3ec868f7fd0d6

SHA512
0d556cb14faa65447bcc7ced3fa329e90eeac90c315c9934860c933f43fd90420c0d8fa75d36a268ba2ef8c50b6d13d6205ce5427a3bc476baf74cd6849ad14f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5fe23d076e7ad263a3a3b3531191ebdd

SHA1
466e2158f24b9d5e653426b6b1bbbcb46754e3e4

SHA256
948b08473d83bdcc320037da1297519c13b294b812a42ed8de6a0e9eab1017ca

SHA512
90102334a4fc8eea77449748672be9f1399b1d315a9565e35b9f3a59a8bb2a19fb549d036f7170b35b45d40a9b8b922dff6c8ce1909b77558ec4b9ab2fda16e5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
60eef374e8fbc134456952dcad9b071a

SHA1
12203de7811ae6ad5561367861598cc658fb5d11

SHA256
88413c71712517b30b71cb1a6597f75f3efcd565f9bf5cb6671ef4eb4f9ce773

SHA512
abaa605c3eafa909290794e6344069486a1b1a7573d3027e8728eb4d87f6d6eecbea34012193a8851c868fead47f4795d73d192857a51656c02e1035c2c49d16

Download Submit
memory/1216-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1216-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1224-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1224-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1308-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1308-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1308-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1592-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1592-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1592-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1592-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3776-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3776-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3928-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3928-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3928-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3928-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4304-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download