neconyd | 928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
Size

96KB
MD5

a7dad23f9097171380f21aa842e154fe
SHA1

4a1a0d72bde7e5b941692eedc6098be1742e21f2
SHA256

928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b
SHA512

8793115a37509c12a361f0d0c1a361db7574d5df63d1f085d2ba9430f4b3ed70ad1a9f77fb26cb7ea96be8bdb8bfef2529c4d1dab3b47a1d0fdd22076fbfd7cf
SSDEEP

1536:DnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:DGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4852	omsecor.exe
4228	omsecor.exe
4524	omsecor.exe
3444	omsecor.exe
4168	omsecor.exe
4576	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 2576	1320	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	83
PID 4852 set thread context of 4228	4852	omsecor.exe	87
PID 4524 set thread context of 3444	4524	omsecor.exe	108
PID 4168 set thread context of 4576	4168	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2472	1320	WerFault.exe	82
2896	4852	WerFault.exe	86
4668	4524	WerFault.exe	107
3656	4168	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2576	1320	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	83
PID 1320 wrote to memory of 2576	1320	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	83
PID 1320 wrote to memory of 2576	1320	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	83
PID 1320 wrote to memory of 2576	1320	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	83
PID 1320 wrote to memory of 2576	1320	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	83
PID 2576 wrote to memory of 4852	2576	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	86
PID 2576 wrote to memory of 4852	2576	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	86
PID 2576 wrote to memory of 4852	2576	928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe	86
PID 4852 wrote to memory of 4228	4852	omsecor.exe	87
PID 4852 wrote to memory of 4228	4852	omsecor.exe	87
PID 4852 wrote to memory of 4228	4852	omsecor.exe	87
PID 4852 wrote to memory of 4228	4852	omsecor.exe	87
PID 4852 wrote to memory of 4228	4852	omsecor.exe	87
PID 4228 wrote to memory of 4524	4228	omsecor.exe	107
PID 4228 wrote to memory of 4524	4228	omsecor.exe	107
PID 4228 wrote to memory of 4524	4228	omsecor.exe	107
PID 4524 wrote to memory of 3444	4524	omsecor.exe	108
PID 4524 wrote to memory of 3444	4524	omsecor.exe	108
PID 4524 wrote to memory of 3444	4524	omsecor.exe	108
PID 4524 wrote to memory of 3444	4524	omsecor.exe	108
PID 4524 wrote to memory of 3444	4524	omsecor.exe	108
PID 3444 wrote to memory of 4168	3444	omsecor.exe	110
PID 3444 wrote to memory of 4168	3444	omsecor.exe	110
PID 3444 wrote to memory of 4168	3444	omsecor.exe	110
PID 4168 wrote to memory of 4576	4168	omsecor.exe	112
PID 4168 wrote to memory of 4576	4168	omsecor.exe	112
PID 4168 wrote to memory of 4576	4168	omsecor.exe	112
PID 4168 wrote to memory of 4576	4168	omsecor.exe	112
PID 4168 wrote to memory of 4576	4168	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
"C:\Users\Admin\AppData\Local\Temp\928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
  C:\Users\Admin\AppData\Local\Temp\928415cfac48941706e12d22195bad42667ceab991cda5f6a2ee92c660efe39b.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4228
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 256
        8⤵
        Program crash
        
        PID:3656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 292
        6⤵
        Program crash
        
        PID:4668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 292
      4⤵
      Program crash
      PID:2896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 296
  2⤵
  - Program crash
  PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1320 -ip 1320
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4852 -ip 4852
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4524 -ip 4524
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4168 -ip 4168
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8e50e8ff7e7263bb22f7e350ee7e86f7

SHA1
6365340c53c28ddc03dc8c33eb2ef841afcf8f0d

SHA256
b5452bc41ce2008c65d0979be65f1fdb9b2b851ff4d67eda2026912f277f9e72

SHA512
27b6fd837ba05c94e0d0003f2f5f7ab42bd11b0cc267d71350c0cbe866993a77f1e4c69d2813f0ef4e4e0baa87a00927f6089a5cd25ccf3c3520fa24931cd281

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8c2e0b579969885d5094358785561332

SHA1
ad7c938c8e92b1c4eda974d5cc0cdf0e2edc98b3

SHA256
e81165ae0641f8d1b8066aeb24e418443e0da6069fd3608a7a42fed4497e11ad

SHA512
0ed9ee41eeb5851bc748838dbaf7b7e9eb5256831b63dc7a353ab46feea77afb9fefb4cd730be95853aeec161a34d089d5921aa32d1815b2341428e4be047808

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b49d49b2f30bffa46d15ab1dbdf2aeeb

SHA1
ba134efa148ac46a5cc47af619bc2c971ab56db1

SHA256
92aea4e0928b9fef802fdd7baa9c4551acadff407d7842e62c1735819d91f748

SHA512
1bf4f82be31eab70eb75648362df10d500c2844ea361b87652f49e0d39b96c591c49a3d23ee0e0c5274235813dcb631d2149975b6915a426af8648071ecbc316

Download Submit
memory/1320-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1320-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2576-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2576-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2576-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2576-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3444-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3444-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3444-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4168-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4168-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4228-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4228-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4228-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4228-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4228-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4228-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4228-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4524-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4524-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4576-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4852-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4852-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download