neconyd | e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe
Size

96KB
MD5

8a7a253a61b0143f0d4ffb05e3e90f4a
SHA1

769c0b777b51b22916483415495b306ee427e838
SHA256

e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b
SHA512

a62efaacffb20ea4fc9b23130566ceef87f59a2e68eca2702baa725cb33d118456463f09e12173538942141e6a67f5f25eebd01bbdc033f9da7ebe0c75bab616
SSDEEP

1536:KnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:KGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
1508	omsecor.exe
2096	omsecor.exe
4708	omsecor.exe
4920	omsecor.exe
384	omsecor.exe
3792	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 640	2736	e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe	83
PID 1508 set thread context of 2096	1508	omsecor.exe	87
PID 4708 set thread context of 4920	4708	omsecor.exe	109
PID 384 set thread context of 3792	384	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
984	2736	WerFault.exe	82
1832	1508	WerFault.exe	85
1352	4708	WerFault.exe	108
984	384	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 640	2736	e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe	83
PID 2736 wrote to memory of 640	2736	e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe	83
PID 2736 wrote to memory of 640	2736	e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe	83
PID 2736 wrote to memory of 640	2736	e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe	83
PID 2736 wrote to memory of 640	2736	e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe	83
PID 640 wrote to memory of 1508	640	e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe	85
PID 640 wrote to memory of 1508	640	e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe	85
PID 640 wrote to memory of 1508	640	e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe	85
PID 1508 wrote to memory of 2096	1508	omsecor.exe	87
PID 1508 wrote to memory of 2096	1508	omsecor.exe	87
PID 1508 wrote to memory of 2096	1508	omsecor.exe	87
PID 1508 wrote to memory of 2096	1508	omsecor.exe	87
PID 1508 wrote to memory of 2096	1508	omsecor.exe	87
PID 2096 wrote to memory of 4708	2096	omsecor.exe	108
PID 2096 wrote to memory of 4708	2096	omsecor.exe	108
PID 2096 wrote to memory of 4708	2096	omsecor.exe	108
PID 4708 wrote to memory of 4920	4708	omsecor.exe	109
PID 4708 wrote to memory of 4920	4708	omsecor.exe	109
PID 4708 wrote to memory of 4920	4708	omsecor.exe	109
PID 4708 wrote to memory of 4920	4708	omsecor.exe	109
PID 4708 wrote to memory of 4920	4708	omsecor.exe	109
PID 4920 wrote to memory of 384	4920	omsecor.exe	111
PID 4920 wrote to memory of 384	4920	omsecor.exe	111
PID 4920 wrote to memory of 384	4920	omsecor.exe	111
PID 384 wrote to memory of 3792	384	omsecor.exe	113
PID 384 wrote to memory of 3792	384	omsecor.exe	113
PID 384 wrote to memory of 3792	384	omsecor.exe	113
PID 384 wrote to memory of 3792	384	omsecor.exe	113
PID 384 wrote to memory of 3792	384	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe
"C:\Users\Admin\AppData\Local\Temp\e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe
  C:\Users\Admin\AppData\Local\Temp\e081f75a0f1a222e0b5740b34158810d6ab2169b63ecd7041f27747374457c4b.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4708
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 256
        8⤵
        Program crash
        
        PID:984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 304
        6⤵
        Program crash
        
        PID:1352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 300
      4⤵
      Program crash
      PID:1832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 300
  2⤵
  - Program crash
  PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2736 -ip 2736
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1508 -ip 1508
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4708 -ip 4708
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 384 -ip 384
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
cbc9908365dae4f7a2ee4f6befc7e0ea

SHA1
0102cd26e8c315582d608b8e80f2acd8c0bcc67c

SHA256
b05a07324a68e9d48dfdd595f3676c03cb0209d46a99aa7c4c3515e2eca76c40

SHA512
b7789b86f763fe256b911a01c2f495633d6e132bc610b9dae2da19b4aad954a7f90159e6627f074d60e656fb960e792a32436ce2f62924605f0a4771b75f7bff

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c0a9801f2d2ecea840d367ea797d4549

SHA1
02f0cf3f35ae10f625edfbd674267a05ab58c56e

SHA256
74de7521f8dbee88c0312329e1179170229bdb3202859b08a908d1f68486514c

SHA512
daa8a5acc8d24eff6b49e55c6ada20eb9f2c133c9315a8f295a538f833f75a6eaebe578fdbe6434a6f55d6a91c2ad1bbf66a6306436945f667acc7831d2b36b6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
cfdaa6b14ee0e8fb638f058b57503d91

SHA1
f42fe6df916af1c5bdb6a2a83af2f598f53a3a33

SHA256
1a25858c1a0fd2964a8cd8abf04147242c21448d79259525629c2399cae0f5ac

SHA512
089128cb123c103caecd89c078c4d53f2bae7487055f9b5e64ff486a3a2ac5e7e00df3f3f859d8a7bf964fd67d5e31544af57004b1cfea58c3b778854072cee9

Download Submit
memory/384-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/640-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/640-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/640-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/640-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1508-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2096-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3792-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4708-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4708-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4920-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download