neconyd | efbccf57d9e7fdfe4fbf2457a06b3daba7a5d1a2c1112c058b8c8401e630ee86

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c465ff2dd75a6203c1607f802ba2aec0N.exe
Size

96KB
MD5

c465ff2dd75a6203c1607f802ba2aec0
SHA1

b3c81a03cd5d48ce54e630807d3369a6f27de4c1
SHA256

efbccf57d9e7fdfe4fbf2457a06b3daba7a5d1a2c1112c058b8c8401e630ee86
SHA512

4292df9f488478f30d0754cec0d5a3f7030e231474d02c5944bc3ff8081448b0cc8991173919616e0e1ceab5cae8920b2ed7d4f140b575c15b833bf48ee08ef5
SSDEEP

1536:PnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:PGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
4416	omsecor.exe
4532	omsecor.exe
2688	omsecor.exe
4472	omsecor.exe
1392	omsecor.exe
4396	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 2436	2940	c465ff2dd75a6203c1607f802ba2aec0N.exe	84
PID 4416 set thread context of 4532	4416	omsecor.exe	88
PID 2688 set thread context of 4472	2688	omsecor.exe	105
PID 1392 set thread context of 4396	1392	omsecor.exe	109

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4012	2940	WerFault.exe	82
4652	4416	WerFault.exe	86
5076	2688	WerFault.exe	104
2980	1392	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c465ff2dd75a6203c1607f802ba2aec0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c465ff2dd75a6203c1607f802ba2aec0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2436	2940	c465ff2dd75a6203c1607f802ba2aec0N.exe	84
PID 2940 wrote to memory of 2436	2940	c465ff2dd75a6203c1607f802ba2aec0N.exe	84
PID 2940 wrote to memory of 2436	2940	c465ff2dd75a6203c1607f802ba2aec0N.exe	84
PID 2940 wrote to memory of 2436	2940	c465ff2dd75a6203c1607f802ba2aec0N.exe	84
PID 2940 wrote to memory of 2436	2940	c465ff2dd75a6203c1607f802ba2aec0N.exe	84
PID 2436 wrote to memory of 4416	2436	c465ff2dd75a6203c1607f802ba2aec0N.exe	86
PID 2436 wrote to memory of 4416	2436	c465ff2dd75a6203c1607f802ba2aec0N.exe	86
PID 2436 wrote to memory of 4416	2436	c465ff2dd75a6203c1607f802ba2aec0N.exe	86
PID 4416 wrote to memory of 4532	4416	omsecor.exe	88
PID 4416 wrote to memory of 4532	4416	omsecor.exe	88
PID 4416 wrote to memory of 4532	4416	omsecor.exe	88
PID 4416 wrote to memory of 4532	4416	omsecor.exe	88
PID 4416 wrote to memory of 4532	4416	omsecor.exe	88
PID 4532 wrote to memory of 2688	4532	omsecor.exe	104
PID 4532 wrote to memory of 2688	4532	omsecor.exe	104
PID 4532 wrote to memory of 2688	4532	omsecor.exe	104
PID 2688 wrote to memory of 4472	2688	omsecor.exe	105
PID 2688 wrote to memory of 4472	2688	omsecor.exe	105
PID 2688 wrote to memory of 4472	2688	omsecor.exe	105
PID 2688 wrote to memory of 4472	2688	omsecor.exe	105
PID 2688 wrote to memory of 4472	2688	omsecor.exe	105
PID 4472 wrote to memory of 1392	4472	omsecor.exe	107
PID 4472 wrote to memory of 1392	4472	omsecor.exe	107
PID 4472 wrote to memory of 1392	4472	omsecor.exe	107
PID 1392 wrote to memory of 4396	1392	omsecor.exe	109
PID 1392 wrote to memory of 4396	1392	omsecor.exe	109
PID 1392 wrote to memory of 4396	1392	omsecor.exe	109
PID 1392 wrote to memory of 4396	1392	omsecor.exe	109
PID 1392 wrote to memory of 4396	1392	omsecor.exe	109

C:\Users\Admin\AppData\Local\Temp\c465ff2dd75a6203c1607f802ba2aec0N.exe
"C:\Users\Admin\AppData\Local\Temp\c465ff2dd75a6203c1607f802ba2aec0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\c465ff2dd75a6203c1607f802ba2aec0N.exe
  C:\Users\Admin\AppData\Local\Temp\c465ff2dd75a6203c1607f802ba2aec0N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 268
        8⤵
        Program crash
        
        PID:2980
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 292
        6⤵
        Program crash
        
        PID:5076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 300
      4⤵
      Program crash
      PID:4652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 300
  2⤵
  - Program crash
  PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2940 -ip 2940
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4416 -ip 4416
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2688 -ip 2688
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1392 -ip 1392
1⤵
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1320a9245dae4660b8786cc81c27fc4e

SHA1
2f766d432e4812396a71d4591407adf79fae70c8

SHA256
c59da8edf072249f7de81b3e2b746101613ccd098197b5f95d4ced14b06831b5

SHA512
06648367cb6ef9a00cc61c00a88f6ab72277141fe04e1efec184a883f9b0dd4de8fcc8fc1613ba4be79ec1d66a1798c7c5b439a6e8ae35ce02353e8edc14c610

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
71f3c35c8f2014ae2bf9cad875386c99

SHA1
e0756f4227e8616aa00b0f0a9b4f171225fc3d14

SHA256
622dc432a168e9149d4a532546b970b73c7699444805f211e248a04fcb835053

SHA512
d1c81e624b6a5ae3e96150caf939893d794bff24af720639cab275fb198ba2e6c63987be4883c468433e47daaaa4046c26d4d6d54caed645f8ea4502c9dc5cfb

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e7c8d3fd049d84b6a9a1bb242c733f31

SHA1
301fb01fd45b920a028fbf7de057638258f22985

SHA256
f60bd0c7f4ef77a4a9ec6c2e74c1631fa4fd9a3e965770a5ecd064d407aeda91

SHA512
0c28549420b507050bf314ce320c6976b156bb3371bfe50ce3671e37d5a001528de2ecc7b231414a7717699ae2802b7347210dfa007a4a492b58f82d56bb4170

Download Submit
memory/1392-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2436-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2436-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2436-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2436-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2688-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2688-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2940-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2940-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4396-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4416-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4416-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4472-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4472-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4472-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4532-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4532-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4532-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4532-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4532-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4532-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4532-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download