neconyd | 8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe
Size

96KB
MD5

5432acb02d764b24c9476a9e39478a5d
SHA1

73ed59c6a4624c2b6785deba7a44d06b3a2ffb53
SHA256

8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf
SHA512

b07ed46e3487e942a03d6009bd8bd101567c6699ac3374e51a0358789e2c058b46c33b918d29c26a8726a07e6608a47ed8c1f5d8b53cc1e31717cacc16439ea0
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:QGs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2504	omsecor.exe
2632	omsecor.exe
3656	omsecor.exe
540	omsecor.exe
4932	omsecor.exe
4532	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4524 set thread context of 4996	4524	8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe	82
PID 2504 set thread context of 2632	2504	omsecor.exe	87
PID 3656 set thread context of 540	3656	omsecor.exe	100
PID 4932 set thread context of 4532	4932	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3964	4524	WerFault.exe	81
2520	2504	WerFault.exe	85
644	3656	WerFault.exe	99
4292	4932	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4996	4524	8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe	82
PID 4524 wrote to memory of 4996	4524	8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe	82
PID 4524 wrote to memory of 4996	4524	8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe	82
PID 4524 wrote to memory of 4996	4524	8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe	82
PID 4524 wrote to memory of 4996	4524	8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe	82
PID 4996 wrote to memory of 2504	4996	8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe	85
PID 4996 wrote to memory of 2504	4996	8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe	85
PID 4996 wrote to memory of 2504	4996	8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe	85
PID 2504 wrote to memory of 2632	2504	omsecor.exe	87
PID 2504 wrote to memory of 2632	2504	omsecor.exe	87
PID 2504 wrote to memory of 2632	2504	omsecor.exe	87
PID 2504 wrote to memory of 2632	2504	omsecor.exe	87
PID 2504 wrote to memory of 2632	2504	omsecor.exe	87
PID 2632 wrote to memory of 3656	2632	omsecor.exe	99
PID 2632 wrote to memory of 3656	2632	omsecor.exe	99
PID 2632 wrote to memory of 3656	2632	omsecor.exe	99
PID 3656 wrote to memory of 540	3656	omsecor.exe	100
PID 3656 wrote to memory of 540	3656	omsecor.exe	100
PID 3656 wrote to memory of 540	3656	omsecor.exe	100
PID 3656 wrote to memory of 540	3656	omsecor.exe	100
PID 3656 wrote to memory of 540	3656	omsecor.exe	100
PID 540 wrote to memory of 4932	540	omsecor.exe	102
PID 540 wrote to memory of 4932	540	omsecor.exe	102
PID 540 wrote to memory of 4932	540	omsecor.exe	102
PID 4932 wrote to memory of 4532	4932	omsecor.exe	103
PID 4932 wrote to memory of 4532	4932	omsecor.exe	103
PID 4932 wrote to memory of 4532	4932	omsecor.exe	103
PID 4932 wrote to memory of 4532	4932	omsecor.exe	103
PID 4932 wrote to memory of 4532	4932	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe
"C:\Users\Admin\AppData\Local\Temp\8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe
  C:\Users\Admin\AppData\Local\Temp\8d164879ff511843de723f8e0198d1f46055367257e454631e46d26523434cdf.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3656
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 268
        8⤵
        Program crash
        
        PID:4292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 292
        6⤵
        Program crash
        
        PID:644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 300
      4⤵
      Program crash
      PID:2520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 288
  2⤵
  - Program crash
  PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4524 -ip 4524
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2504 -ip 2504
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3656 -ip 3656
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4932 -ip 4932
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
2847a4ba0c3e5a07af1f860402d47ffd

SHA1
893122637d4ad3db02f83b1c4eb0433dc3d4e818

SHA256
41f9697d7dce7e7d518816be4fa2e554d54399795d7ebb3f07953f1c32c1a677

SHA512
9d910e3fb7258a68a5dacd6900414da65dae442df226ab191638f63681ddd460ef0a480f1a2401ac8f545add00fc78b9ac26b47f6385620e190ad9eae28489b0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b0391407456bd3ae11e00360df2dc510

SHA1
57cf7efedacb72958911a4aad1a4f246c7184138

SHA256
bfbff077fea0e92f8f69e16cae3074a5ddc0763ca30e7069f3f9cfe5c2aa95cf

SHA512
2dfff7016bfb848855a8a03d18f549ce796078e0debc429cb4312f11b2edaf7d1208b2fa0ba2daa74cb02b5b36c7b14719f89d73ec7229fedc9b67da85e13597

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
192061b8cb62fa5c26f27ef74f021cb9

SHA1
ee7dfef2011cdf077d752f1bc994d5b470aa9940

SHA256
708baab0d6fcdb357f2ca1eca6b335d58806921f02141eea06cc99c33d44b523

SHA512
9d6676eb130ea362187c2297dbd3942dac5ee39aad4a4f63fe785f6e474bbad5d5c4aa2fc79657c26e591295db03e3042a94f2303ea5414e1ed14e781b324374

Download Submit
memory/540-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2504-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2632-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2632-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2632-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2632-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2632-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2632-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2632-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3656-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4524-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4524-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4532-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4532-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4532-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4532-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4932-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4996-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4996-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4996-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4996-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download