neconyd | 652ffbfdcb370ab136b64ae233e58f9b59993dc6fe73083b014d8a5e4ff074ee

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Win32.exe
Size

96KB
MD5

5332f4b7ef96b87a961045df421446c0
SHA1

2310f542c21dd06999f34bf75997f70f6bce8c5f
SHA256

652ffbfdcb370ab136b64ae233e58f9b59993dc6fe73083b014d8a5e4ff074ee
SHA512

dcc9064725053e73df0947c55ba863d99c2e1fac99ffc10a2ff7691091a460c673323125474e0e7e8c600b91759d79cfdb9d4d75ebb3daf866a788aea91a8ba5
SSDEEP

1536:knAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:kGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2480	omsecor.exe
2620	omsecor.exe
5068	omsecor.exe
4368	omsecor.exe
4400	omsecor.exe
1356	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 1896	2624	Trojan.Win32.exe	82
PID 2480 set thread context of 2620	2480	omsecor.exe	87
PID 5068 set thread context of 4368	5068	omsecor.exe	100
PID 4400 set thread context of 1356	4400	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1940	2624	WerFault.exe	81
2576	2480	WerFault.exe	84
804	5068	WerFault.exe	99
640	4400	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Win32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Win32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 1896	2624	Trojan.Win32.exe	82
PID 2624 wrote to memory of 1896	2624	Trojan.Win32.exe	82
PID 2624 wrote to memory of 1896	2624	Trojan.Win32.exe	82
PID 2624 wrote to memory of 1896	2624	Trojan.Win32.exe	82
PID 2624 wrote to memory of 1896	2624	Trojan.Win32.exe	82
PID 1896 wrote to memory of 2480	1896	Trojan.Win32.exe	84
PID 1896 wrote to memory of 2480	1896	Trojan.Win32.exe	84
PID 1896 wrote to memory of 2480	1896	Trojan.Win32.exe	84
PID 2480 wrote to memory of 2620	2480	omsecor.exe	87
PID 2480 wrote to memory of 2620	2480	omsecor.exe	87
PID 2480 wrote to memory of 2620	2480	omsecor.exe	87
PID 2480 wrote to memory of 2620	2480	omsecor.exe	87
PID 2480 wrote to memory of 2620	2480	omsecor.exe	87
PID 2620 wrote to memory of 5068	2620	omsecor.exe	99
PID 2620 wrote to memory of 5068	2620	omsecor.exe	99
PID 2620 wrote to memory of 5068	2620	omsecor.exe	99
PID 5068 wrote to memory of 4368	5068	omsecor.exe	100
PID 5068 wrote to memory of 4368	5068	omsecor.exe	100
PID 5068 wrote to memory of 4368	5068	omsecor.exe	100
PID 5068 wrote to memory of 4368	5068	omsecor.exe	100
PID 5068 wrote to memory of 4368	5068	omsecor.exe	100
PID 4368 wrote to memory of 4400	4368	omsecor.exe	102
PID 4368 wrote to memory of 4400	4368	omsecor.exe	102
PID 4368 wrote to memory of 4400	4368	omsecor.exe	102
PID 4400 wrote to memory of 1356	4400	omsecor.exe	104
PID 4400 wrote to memory of 1356	4400	omsecor.exe	104
PID 4400 wrote to memory of 1356	4400	omsecor.exe	104
PID 4400 wrote to memory of 1356	4400	omsecor.exe	104
PID 4400 wrote to memory of 1356	4400	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.exe
  C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 256
        8⤵
        Program crash
        
        PID:640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 292
        6⤵
        Program crash
        
        PID:804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 300
      4⤵
      Program crash
      PID:2576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 272
  2⤵
  - Program crash
  PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2624 -ip 2624
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2480 -ip 2480
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5068 -ip 5068
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4400 -ip 4400
1⤵
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
74591f5d2755e85513418a9e9c5fff97

SHA1
f9d26de5511b92ab7e46a2f30f01960a507f9aca

SHA256
147f20df049679b401231899f6d02addc7e6e154572d72dc30761e136b341313

SHA512
f2aebbb708473fbcc0e1aff4275e0c417f93bcb369968a5617a4747ae5bb06ad5627476cac823d8eea2795407f093b7f355c6d8a78b09ed5c9b6ebb98c433440

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e23985675195267c853980fa19f08e45

SHA1
605887eb6e58c6aa46dcd967ae56172d67705156

SHA256
1d33327fdea342214640001b28a6e9cf3516d611c99be42f82b3e4430a2ab28d

SHA512
bfe8f5abe87953f57796e189f4e3b2faf936b4819389de43c069b00195f9a638ee0dd424f80bec8e78bb5270091a9ee2d074530ace4d1eb6e01f00b8288c362c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
177e29eeecedef1ca41934dda60fdd2f

SHA1
8df34e4384a07e2e963cb2e80ba2e42db2f00ef8

SHA256
968d58ad6f5f1582787ef77153a4ba15292617c512d7316aa03e240ccbd86b65

SHA512
e53d35ce8c5f71c74e25d339480b21530379cdbd27d744eb8e9b7b09cbd80ad5d820583466fef039350e676a9aa4da19d9dd2a0d212a757f0f681902de72b824

Download Submit
memory/1356-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1356-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1356-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1356-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1896-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1896-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1896-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1896-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2480-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2620-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2620-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2620-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2620-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2620-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2620-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2620-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2624-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2624-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4368-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4368-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4368-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4400-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5068-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5068-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download