neconyd | fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
Size

96KB
MD5

a63cd8ef554c8a42630a92a4fdde970c
SHA1

0530eb7362ca19d6aa953a7d35bbca034a01c751
SHA256

fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f
SHA512

567d55fae6070f24e6530079caade578961974ada1076f068183e8ee2ea6cc9c8b9d68f13751ea486a03420f26709089ef69a2e37b213a989be1a1c3d3ea7930
SSDEEP

1536:VnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:VGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
452	omsecor.exe
3500	omsecor.exe
3920	omsecor.exe
3904	omsecor.exe
3652	omsecor.exe
1644	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1076 set thread context of 400	1076	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	83
PID 452 set thread context of 3500	452	omsecor.exe	87
PID 3920 set thread context of 3904	3920	omsecor.exe	107
PID 3652 set thread context of 1644	3652	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2784	1076	WerFault.exe	82
2184	452	WerFault.exe	85
3536	3920	WerFault.exe	106
4356	3652	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 400	1076	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	83
PID 1076 wrote to memory of 400	1076	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	83
PID 1076 wrote to memory of 400	1076	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	83
PID 1076 wrote to memory of 400	1076	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	83
PID 1076 wrote to memory of 400	1076	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	83
PID 400 wrote to memory of 452	400	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	85
PID 400 wrote to memory of 452	400	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	85
PID 400 wrote to memory of 452	400	fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe	85
PID 452 wrote to memory of 3500	452	omsecor.exe	87
PID 452 wrote to memory of 3500	452	omsecor.exe	87
PID 452 wrote to memory of 3500	452	omsecor.exe	87
PID 452 wrote to memory of 3500	452	omsecor.exe	87
PID 452 wrote to memory of 3500	452	omsecor.exe	87
PID 3500 wrote to memory of 3920	3500	omsecor.exe	106
PID 3500 wrote to memory of 3920	3500	omsecor.exe	106
PID 3500 wrote to memory of 3920	3500	omsecor.exe	106
PID 3920 wrote to memory of 3904	3920	omsecor.exe	107
PID 3920 wrote to memory of 3904	3920	omsecor.exe	107
PID 3920 wrote to memory of 3904	3920	omsecor.exe	107
PID 3920 wrote to memory of 3904	3920	omsecor.exe	107
PID 3920 wrote to memory of 3904	3920	omsecor.exe	107
PID 3904 wrote to memory of 3652	3904	omsecor.exe	109
PID 3904 wrote to memory of 3652	3904	omsecor.exe	109
PID 3904 wrote to memory of 3652	3904	omsecor.exe	109
PID 3652 wrote to memory of 1644	3652	omsecor.exe	111
PID 3652 wrote to memory of 1644	3652	omsecor.exe	111
PID 3652 wrote to memory of 1644	3652	omsecor.exe	111
PID 3652 wrote to memory of 1644	3652	omsecor.exe	111
PID 3652 wrote to memory of 1644	3652	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
"C:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
  C:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3920
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 268
        8⤵
        Program crash
        
        PID:4356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 292
        6⤵
        Program crash
        
        PID:3536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 300
      4⤵
      Program crash
      PID:2184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 304
  2⤵
  - Program crash
  PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1076 -ip 1076
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 452 -ip 452
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3920 -ip 3920
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3652 -ip 3652
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9989c84e5681124261d3acf3babba04f

SHA1
b84965a51b9b19f1b7c683489ecbd2ebd51b601d

SHA256
10e2b24d9b6ed6c02a855408e2fcee1b136c635dc2d5d7e2fbd32d8aaf7d3fa2

SHA512
4f88d939550bb590e48cd3585cd23699290d9aa47682a0bdff7fe6a7684c454679df1d48721f4ab46a044b21c25ad9bd9d3d2d6ca63fb447e81389f3486cd6f4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
578851fddd7b21fd7150f170fa0d7515

SHA1
0f23a7f6d78cfe276c2164d529c957b90d4c1d7e

SHA256
ca0ca53e0fab32fae81d36e547a8545e409831245742badb091724f2b0bc23b8

SHA512
13e6eda18ba946a44df3e9c6a41ce6c14fa3f7821eeba231207e0cf750607f16f275d13d9f39ba8f1a5344bc7ca582c1ee8a9caedb4356fdae3cac485f0ea525

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
89dea3e5a7cc27eef470f02a71251f0b

SHA1
32eea3a564b81754ef0630e8e5f3015a58bc65e0

SHA256
9c088d7577aea9e575f0f7c86de750243b80502e79cc633b2dad51a5a686f67b

SHA512
40c3ea44225db9b437d2733fc2edf23d19bb0c380b63e3548357917c81e69c175eef0698081feddfaf62d1c2f95d994e2e4070d4db4d87a897f977bf1abc6451

Download Submit
memory/400-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/400-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/400-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/400-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/452-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/452-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1076-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1076-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1644-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1644-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1644-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3652-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3904-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3904-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3904-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3920-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3920-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download