neconyd | 8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe
Size

96KB
MD5

9e70ef82f04aa92c97ad7a9ad6502b80
SHA1

c9cf403dbdf0e27fc633138049bc4d936c0e30b5
SHA256

8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4
SHA512

5d255df58545f737eee45f7868fa93952bf85ed7dcc5f6bdad00a0ee74c877350cdd233b0a300c7be2cde5fe28884a02ebcb5cd2a55e0a621a6367d6f49af86e
SSDEEP

1536:+nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:+Gs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3636	omsecor.exe
3520	omsecor.exe
3324	omsecor.exe
4892	omsecor.exe
3496	omsecor.exe
2776	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 760	5064	8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe	83
PID 3636 set thread context of 3520	3636	omsecor.exe	88
PID 3324 set thread context of 4892	3324	omsecor.exe	108
PID 3496 set thread context of 2776	3496	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3816	5064	WerFault.exe	82
2660	3636	WerFault.exe	86
4780	3324	WerFault.exe	107
4812	3496	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 760	5064	8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe	83
PID 5064 wrote to memory of 760	5064	8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe	83
PID 5064 wrote to memory of 760	5064	8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe	83
PID 5064 wrote to memory of 760	5064	8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe	83
PID 5064 wrote to memory of 760	5064	8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe	83
PID 760 wrote to memory of 3636	760	8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe	86
PID 760 wrote to memory of 3636	760	8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe	86
PID 760 wrote to memory of 3636	760	8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe	86
PID 3636 wrote to memory of 3520	3636	omsecor.exe	88
PID 3636 wrote to memory of 3520	3636	omsecor.exe	88
PID 3636 wrote to memory of 3520	3636	omsecor.exe	88
PID 3636 wrote to memory of 3520	3636	omsecor.exe	88
PID 3636 wrote to memory of 3520	3636	omsecor.exe	88
PID 3520 wrote to memory of 3324	3520	omsecor.exe	107
PID 3520 wrote to memory of 3324	3520	omsecor.exe	107
PID 3520 wrote to memory of 3324	3520	omsecor.exe	107
PID 3324 wrote to memory of 4892	3324	omsecor.exe	108
PID 3324 wrote to memory of 4892	3324	omsecor.exe	108
PID 3324 wrote to memory of 4892	3324	omsecor.exe	108
PID 3324 wrote to memory of 4892	3324	omsecor.exe	108
PID 3324 wrote to memory of 4892	3324	omsecor.exe	108
PID 4892 wrote to memory of 3496	4892	omsecor.exe	110
PID 4892 wrote to memory of 3496	4892	omsecor.exe	110
PID 4892 wrote to memory of 3496	4892	omsecor.exe	110
PID 3496 wrote to memory of 2776	3496	omsecor.exe	112
PID 3496 wrote to memory of 2776	3496	omsecor.exe	112
PID 3496 wrote to memory of 2776	3496	omsecor.exe	112
PID 3496 wrote to memory of 2776	3496	omsecor.exe	112
PID 3496 wrote to memory of 2776	3496	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe
"C:\Users\Admin\AppData\Local\Temp\8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe
  C:\Users\Admin\AppData\Local\Temp\8f39a9b357600c54e03bdbf409c5bb54ce6ca63adaf98fbebdb46a6385f662c4N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3324
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 256
        8⤵
        Program crash
        
        PID:4812
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 296
        6⤵
        Program crash
        
        PID:4780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 288
      4⤵
      Program crash
      PID:2660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 300
  2⤵
  - Program crash
  PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5064 -ip 5064
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3636 -ip 3636
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3324 -ip 3324
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3496 -ip 3496
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
161ef8a754d57da99576c7f804a19aba

SHA1
3c9e20fc7b4a6beb70217cbb4fef692c94bc2df1

SHA256
21cd5b6846aaff28ee750607fc8e05535e6406a8f9a4b47712f454d52fa5b70a

SHA512
4c1c29a03420c3139148ae34a51c9e19f0d639fa3ecbb5e86ce503bdc27f1030db8df1a81a34b0d369c09c9eeaa97e92a898b939642fc42731c6b9540109f1c4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ecb04fdbd59482c6df0a8f02b24692de

SHA1
70a381e98d9a931632221dfd5191b4b0cdecf40a

SHA256
b9552ae9f5f948aa8696fedf00a3a34daad4636d427b3b1a077766639a288633

SHA512
e5e841a7c47329e6b521393007643a2fa9af85b33e7add873cb14fd41b03bcaa9025b02840bd5e8cfc0f5de4775bef003663b85abb3e1008bdf190d90480a5e9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
de6d9ff471bf1a25a204ff5311c11262

SHA1
50094495e5bfcbb5020c16709bc597972f2ebc36

SHA256
870be7862b2a3b860a78be20c67d3d6662c9e2d55727cc43ae2f82b452573a11

SHA512
675030500b1b77b96c100cd01fdddfb4daf32b28f6b549bb26bc2e18fd75ca2878e01e18d87f3ee5efb1c4e5f00748199e60b5c29234ab0a342f4d8af33ef18a

Download Submit
memory/760-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2776-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2776-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2776-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3324-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3324-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3496-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3520-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3520-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3520-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3520-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3520-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3520-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3520-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3636-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3636-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4892-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4892-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4892-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5064-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5064-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download