neconyd | 8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe
Size

96KB
MD5

0b481018a8b1382484563291469c2db5
SHA1

6999c65cfe4d050752efd2b3e816904ecc054053
SHA256

8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596
SHA512

b9d26943a90264a840d63a58aebd96bbe555cade68d9241e12accd00798909cd5f0c6fb1b2d5be29a8b105ef103204571cd11443a1ce7a489d3f2011da18a228
SSDEEP

1536:5nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:5Gs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1524	omsecor.exe
2108	omsecor.exe
1052	omsecor.exe
5048	omsecor.exe
3400	omsecor.exe
3660	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5012 set thread context of 2404	5012	8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe	82
PID 1524 set thread context of 2108	1524	omsecor.exe	87
PID 1052 set thread context of 5048	1052	omsecor.exe	100
PID 3400 set thread context of 3660	3400	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4164	5012	WerFault.exe	81
1268	1524	WerFault.exe	84
3184	1052	WerFault.exe	99
4776	3400	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2404	5012	8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe	82
PID 5012 wrote to memory of 2404	5012	8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe	82
PID 5012 wrote to memory of 2404	5012	8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe	82
PID 5012 wrote to memory of 2404	5012	8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe	82
PID 5012 wrote to memory of 2404	5012	8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe	82
PID 2404 wrote to memory of 1524	2404	8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe	84
PID 2404 wrote to memory of 1524	2404	8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe	84
PID 2404 wrote to memory of 1524	2404	8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe	84
PID 1524 wrote to memory of 2108	1524	omsecor.exe	87
PID 1524 wrote to memory of 2108	1524	omsecor.exe	87
PID 1524 wrote to memory of 2108	1524	omsecor.exe	87
PID 1524 wrote to memory of 2108	1524	omsecor.exe	87
PID 1524 wrote to memory of 2108	1524	omsecor.exe	87
PID 2108 wrote to memory of 1052	2108	omsecor.exe	99
PID 2108 wrote to memory of 1052	2108	omsecor.exe	99
PID 2108 wrote to memory of 1052	2108	omsecor.exe	99
PID 1052 wrote to memory of 5048	1052	omsecor.exe	100
PID 1052 wrote to memory of 5048	1052	omsecor.exe	100
PID 1052 wrote to memory of 5048	1052	omsecor.exe	100
PID 1052 wrote to memory of 5048	1052	omsecor.exe	100
PID 1052 wrote to memory of 5048	1052	omsecor.exe	100
PID 5048 wrote to memory of 3400	5048	omsecor.exe	102
PID 5048 wrote to memory of 3400	5048	omsecor.exe	102
PID 5048 wrote to memory of 3400	5048	omsecor.exe	102
PID 3400 wrote to memory of 3660	3400	omsecor.exe	103
PID 3400 wrote to memory of 3660	3400	omsecor.exe	103
PID 3400 wrote to memory of 3660	3400	omsecor.exe	103
PID 3400 wrote to memory of 3660	3400	omsecor.exe	103
PID 3400 wrote to memory of 3660	3400	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe
"C:\Users\Admin\AppData\Local\Temp\8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe
  C:\Users\Admin\AppData\Local\Temp\8cff840a5dfb15e27298ecb4d362b8f1b1f09a46e77cbb955fe4c332a21e3596.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1052
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 268
        8⤵
        Program crash
        
        PID:4776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 292
        6⤵
        Program crash
        
        PID:3184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 288
      4⤵
      Program crash
      PID:1268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 292
  2⤵
  - Program crash
  PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5012 -ip 5012
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1524 -ip 1524
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1052 -ip 1052
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3400 -ip 3400
1⤵
PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ed0f509d63bc8162cd63c8e06b82eae2

SHA1
7401a9600fcedac9b15d76e3e0aa5bc60d66bf46

SHA256
34dbed024a7038c73cdd0cd8c5736567f2cca2716332bc44dc36dccddc654283

SHA512
7150640555c64825835668ee633e497230a04b5cee17d981c95a6cefb0ef052fc17e6e971bb19ed7ea4af0dd20ddf9e101e87411856f68796e88d922b1d06c8f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
359fb3404db7c7d6bc19190796eb53c5

SHA1
f688eb00c7c7aba6d02c144c329f5529aeada4fd

SHA256
f6d91768154aa9430abba198ac853a9738e4feccf05032c4dd2f8810986a7918

SHA512
0e3e47781b8ff38b771942e7e8d82a7265b2b43091484e128ee37d06986843bed52ec6c3193ad556a03f7cb7030afdc03a380ffd3713323b964bdfdbc3444a32

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d219d9e48a1a6f3e9f0447f775d8c086

SHA1
354f668a05bf049dbe78792cfff679cedbb94bc2

SHA256
fa6410b827f4e38a381e2fabe6c9025ee41aa6230cd9028f60a6015096912c8e

SHA512
2ed43634bfa03224ed9ef0c53c4a16eafe1fa88da57d02eec19c173cdd756c23b194cfb46e6818a4fb870f8bd1238cc94cad8afb633eaebff85446ff0b6cfcd0

Download Submit
memory/1052-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1524-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2108-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3400-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3660-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3660-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3660-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5012-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5012-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5048-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download