neconyd | 8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe
Size

96KB
MD5

2ddb2a596e835b97c13ad67fad801650
SHA1

080aba1077f9bcbb243329ceed9a4a761658e688
SHA256

8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0
SHA512

bcc5b8a6cd3ddc94eb46b751d80174585d22dfedc3b76f69d70a63183c0eb847bcf1d0b3436715976af86711bddfea2fd59bb9d366cbb76fb563ecba7075ba5b
SSDEEP

1536:BnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:BGs8cd8eXlYairZYqMddH13b

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2376	omsecor.exe
4888	omsecor.exe
4100	omsecor.exe
4448	omsecor.exe
512	omsecor.exe
2724	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 1236	2368	8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe	82
PID 2376 set thread context of 4888	2376	omsecor.exe	87
PID 4100 set thread context of 4448	4100	omsecor.exe	100
PID 512 set thread context of 2724	512	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2504	2368	WerFault.exe	81
1220	2376	WerFault.exe	84
3532	4100	WerFault.exe	99
3132	512	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1236	2368	8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe	82
PID 2368 wrote to memory of 1236	2368	8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe	82
PID 2368 wrote to memory of 1236	2368	8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe	82
PID 2368 wrote to memory of 1236	2368	8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe	82
PID 2368 wrote to memory of 1236	2368	8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe	82
PID 1236 wrote to memory of 2376	1236	8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe	84
PID 1236 wrote to memory of 2376	1236	8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe	84
PID 1236 wrote to memory of 2376	1236	8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe	84
PID 2376 wrote to memory of 4888	2376	omsecor.exe	87
PID 2376 wrote to memory of 4888	2376	omsecor.exe	87
PID 2376 wrote to memory of 4888	2376	omsecor.exe	87
PID 2376 wrote to memory of 4888	2376	omsecor.exe	87
PID 2376 wrote to memory of 4888	2376	omsecor.exe	87
PID 4888 wrote to memory of 4100	4888	omsecor.exe	99
PID 4888 wrote to memory of 4100	4888	omsecor.exe	99
PID 4888 wrote to memory of 4100	4888	omsecor.exe	99
PID 4100 wrote to memory of 4448	4100	omsecor.exe	100
PID 4100 wrote to memory of 4448	4100	omsecor.exe	100
PID 4100 wrote to memory of 4448	4100	omsecor.exe	100
PID 4100 wrote to memory of 4448	4100	omsecor.exe	100
PID 4100 wrote to memory of 4448	4100	omsecor.exe	100
PID 4448 wrote to memory of 512	4448	omsecor.exe	102
PID 4448 wrote to memory of 512	4448	omsecor.exe	102
PID 4448 wrote to memory of 512	4448	omsecor.exe	102
PID 512 wrote to memory of 2724	512	omsecor.exe	103
PID 512 wrote to memory of 2724	512	omsecor.exe	103
PID 512 wrote to memory of 2724	512	omsecor.exe	103
PID 512 wrote to memory of 2724	512	omsecor.exe	103
PID 512 wrote to memory of 2724	512	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe
"C:\Users\Admin\AppData\Local\Temp\8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe
  C:\Users\Admin\AppData\Local\Temp\8bbe6b9e83c838844ba155fba4212f6f2f8c9bdef810c5dbb291d38a80be95c0N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 256
        8⤵
        Program crash
        
        PID:3132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 292
        6⤵
        Program crash
        
        PID:3532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 288
      4⤵
      Program crash
      PID:1220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 288
  2⤵
  - Program crash
  PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2368 -ip 2368
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2376 -ip 2376
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4100 -ip 4100
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 512 -ip 512
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5de2469289e04041df6cb67eded2dd1c

SHA1
e9c3eba8c19e34e29a889ce64b4c381efb5ba009

SHA256
b0f74008bd674e7b8c4b695ba6e5e1038a860452821ae20ad0991d3895978d3a

SHA512
57b6835c3fe8c1ea886d3eb072a70ac9c83eb0f3f2d641e7c5f4952e6d745714ac0f62ef80c2989086e0fb6e58e4464d8f3db3eb743c2f84196edb70e751f359

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
41e9e655a54eab526e8c04f8280fd3cd

SHA1
894b79b0220f45eac55c1b3f934d934070ec9776

SHA256
5c28e0ab0dfb63416ba35833c9bb9ec9bb1b155aca309323ca24bce4abe16cc1

SHA512
4459b15985e149c53572c373e42ff280bcc0e4f234da4a3197d61321c1c1571945ae8c0204e6f51c65ef1b33dd767fe8bc66f8edcb2f6c369a98bfbfb2767537

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9225d2c29b38bb73cd8da96e3b13c859

SHA1
03928fd9f41b23c43c2ee04b2887363725267394

SHA256
2ebc6c996717b4379fc67909ff0282ee6fcd1095593def5b7c73cafa0a8a369d

SHA512
fc3984b0dd8254c70ab28e79b6101d812bd7ad92ccd04760953dd8cc60e6bdbeb226eb01475cc87edaad79d1fa4e15b79a5ba564cc0019c1c8e3e5749f912d2a

Download Submit
memory/512-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1236-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2368-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2376-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2376-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2724-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2724-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4100-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4448-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4448-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4448-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4888-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4888-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4888-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4888-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4888-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4888-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4888-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download