neconyd | facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a

Analysis

max time kernel
115s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe
Size

96KB
MD5

2b3bf1308b7e79ef933b3d2592048f90
SHA1

387d9d6b78e9aa6fef3ddc5d08962a0c6711526c
SHA256

facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5a
SHA512

3f86081d595862dd03a97f01ee65d25a5ab22f402edf98257060d398632efabdcbc0ad378b149d5dfd71fc98b70f4f43fd2faafafa6e5f4810722ac31b2ff25b
SSDEEP

1536:vnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:vGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1916	omsecor.exe
3048	omsecor.exe
4032	omsecor.exe
3908	omsecor.exe
1056	omsecor.exe
2788	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 4560	2228	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe	83
PID 1916 set thread context of 3048	1916	omsecor.exe	88
PID 4032 set thread context of 3908	4032	omsecor.exe	108
PID 1056 set thread context of 2788	1056	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3936	2228	WerFault.exe	82
1900	1916	WerFault.exe	86
4508	4032	WerFault.exe	107
4424	1056	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4560	2228	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe	83
PID 2228 wrote to memory of 4560	2228	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe	83
PID 2228 wrote to memory of 4560	2228	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe	83
PID 2228 wrote to memory of 4560	2228	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe	83
PID 2228 wrote to memory of 4560	2228	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe	83
PID 4560 wrote to memory of 1916	4560	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe	86
PID 4560 wrote to memory of 1916	4560	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe	86
PID 4560 wrote to memory of 1916	4560	facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe	86
PID 1916 wrote to memory of 3048	1916	omsecor.exe	88
PID 1916 wrote to memory of 3048	1916	omsecor.exe	88
PID 1916 wrote to memory of 3048	1916	omsecor.exe	88
PID 1916 wrote to memory of 3048	1916	omsecor.exe	88
PID 1916 wrote to memory of 3048	1916	omsecor.exe	88
PID 3048 wrote to memory of 4032	3048	omsecor.exe	107
PID 3048 wrote to memory of 4032	3048	omsecor.exe	107
PID 3048 wrote to memory of 4032	3048	omsecor.exe	107
PID 4032 wrote to memory of 3908	4032	omsecor.exe	108
PID 4032 wrote to memory of 3908	4032	omsecor.exe	108
PID 4032 wrote to memory of 3908	4032	omsecor.exe	108
PID 4032 wrote to memory of 3908	4032	omsecor.exe	108
PID 4032 wrote to memory of 3908	4032	omsecor.exe	108
PID 3908 wrote to memory of 1056	3908	omsecor.exe	110
PID 3908 wrote to memory of 1056	3908	omsecor.exe	110
PID 3908 wrote to memory of 1056	3908	omsecor.exe	110
PID 1056 wrote to memory of 2788	1056	omsecor.exe	111
PID 1056 wrote to memory of 2788	1056	omsecor.exe	111
PID 1056 wrote to memory of 2788	1056	omsecor.exe	111
PID 1056 wrote to memory of 2788	1056	omsecor.exe	111
PID 1056 wrote to memory of 2788	1056	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe
"C:\Users\Admin\AppData\Local\Temp\facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe
  C:\Users\Admin\AppData\Local\Temp\facc8a9019a58871c175f23c94e592ee55f7fec7b154e4eab8602a35d67f9d5aN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 256
        8⤵
        Program crash
        
        PID:4424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 292
        6⤵
        Program crash
        
        PID:4508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 288
      4⤵
      Program crash
      PID:1900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 256
  2⤵
  - Program crash
  PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2228 -ip 2228
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1916 -ip 1916
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4032 -ip 4032
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1056 -ip 1056
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e1757c47f9bd9a2f6c34bc68e691399a

SHA1
9dd26c95042ee3a71aa4207de9f9548e2006f450

SHA256
1efcc8ed4beee515a00c93739a8199a39e15a49094f7da94cbae38c86dcbdfed

SHA512
4b20322ebc180d1fc4f8e12b152789a9031900039b4cc4c1f519a3ede5c0edf81425ae7fedecdd59c49dbf740dd83451dee55c0cf1a4a8b4a4ecd5096ebbda0e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1c190a9308343d4e06ddb69d23e3eaa2

SHA1
f1dbf1b9bc052678ec282215034f37e54a4e6c0e

SHA256
a76d66d79700dd1bad84fad4eb4380a920e4e5136aae0e460d2625d3f259a706

SHA512
28b50f7d02701e202bc3f015c4733e540fac221b27317622094b7458fd31a53e136be776e2d251a2bddc9a369e020934c9df509155cab68948cb75852abc3d54

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d7407a55dc2e4d6edef5a6d7839668df

SHA1
d02987541a96419bedd120fb83ea949cce5a8e20

SHA256
7139e98eabb04ed5c5134871ffc11ec18afe5d81adbf577286fe23c37f8fb2bb

SHA512
f4405773a1633f334b429ab517f70a1a959dbb6d6000f168916843a6ebd59d10d0f0f40bfc853fee7cfd5ec9e5297752dfd9d7449c5c4e9a3597113ff1818913

Download Submit
memory/1056-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1916-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1916-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2228-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2228-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2788-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2788-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2788-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3908-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3908-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3908-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4032-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4560-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download