neconyd | 01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 14:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe
Size

96KB
MD5

ab5583e0e923e990485351f4b61f3370
SHA1

087c3c1c65f131203d8a865be033c9dd9778e429
SHA256

01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39
SHA512

261608cbcbd2c78fa0f758044af08e9d233c9df74db80c503c76a267e52b18845c3b17eb9244b0d04cbc6cd63f73f789f779065ec69459d07aa891c20b0c79cf
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:QGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
3048	omsecor.exe
4944	omsecor.exe
1284	omsecor.exe
3420	omsecor.exe
3444	omsecor.exe
3664	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3464 set thread context of 5048	3464	01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe	84
PID 3048 set thread context of 4944	3048	omsecor.exe	88
PID 1284 set thread context of 3420	1284	omsecor.exe	108
PID 3444 set thread context of 3664	3444	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
808	3048	WerFault.exe	87
2420	3464	WerFault.exe	83
1872	1284	WerFault.exe	107
3880	3444	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 5048	3464	01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe	84
PID 3464 wrote to memory of 5048	3464	01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe	84
PID 3464 wrote to memory of 5048	3464	01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe	84
PID 3464 wrote to memory of 5048	3464	01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe	84
PID 3464 wrote to memory of 5048	3464	01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe	84
PID 5048 wrote to memory of 3048	5048	01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe	87
PID 5048 wrote to memory of 3048	5048	01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe	87
PID 5048 wrote to memory of 3048	5048	01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe	87
PID 3048 wrote to memory of 4944	3048	omsecor.exe	88
PID 3048 wrote to memory of 4944	3048	omsecor.exe	88
PID 3048 wrote to memory of 4944	3048	omsecor.exe	88
PID 3048 wrote to memory of 4944	3048	omsecor.exe	88
PID 3048 wrote to memory of 4944	3048	omsecor.exe	88
PID 4944 wrote to memory of 1284	4944	omsecor.exe	107
PID 4944 wrote to memory of 1284	4944	omsecor.exe	107
PID 4944 wrote to memory of 1284	4944	omsecor.exe	107
PID 1284 wrote to memory of 3420	1284	omsecor.exe	108
PID 1284 wrote to memory of 3420	1284	omsecor.exe	108
PID 1284 wrote to memory of 3420	1284	omsecor.exe	108
PID 1284 wrote to memory of 3420	1284	omsecor.exe	108
PID 1284 wrote to memory of 3420	1284	omsecor.exe	108
PID 3420 wrote to memory of 3444	3420	omsecor.exe	110
PID 3420 wrote to memory of 3444	3420	omsecor.exe	110
PID 3420 wrote to memory of 3444	3420	omsecor.exe	110
PID 3444 wrote to memory of 3664	3444	omsecor.exe	112
PID 3444 wrote to memory of 3664	3444	omsecor.exe	112
PID 3444 wrote to memory of 3664	3444	omsecor.exe	112
PID 3444 wrote to memory of 3664	3444	omsecor.exe	112
PID 3444 wrote to memory of 3664	3444	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe
"C:\Users\Admin\AppData\Local\Temp\01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe
  C:\Users\Admin\AppData\Local\Temp\01ea631963c39312dce4856b1b54aabc229e2651a5786cc8f631d4a1b1d7aa39N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4944
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 268
        8⤵
        Program crash
        
        PID:3880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 292
        6⤵
        Program crash
        
        PID:1872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 300
      4⤵
      Program crash
      PID:808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 256
  2⤵
  - Program crash
  PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3464 -ip 3464
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3048 -ip 3048
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1284 -ip 1284
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3444 -ip 3444
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4466d04e3d669e668844dc956893b051

SHA1
a2e15472457ff85a2aa43a5d27179011de689a59

SHA256
5f75cf1450fba818c47e363766ed39d0ba5c8eaeca59c9673636b0c1d6e89a28

SHA512
437fd4db26b269834acd90a1296b3b32d0589a1d572ca4654ce7cce13cadf5a3dbfc438f97bd6b6b9becd0054379dca140c20c1699ce3efba4d42d715a53f86b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0e9ce0076132df54dcb0ca677a9b6713

SHA1
d686f360ffa9b6cc75c35151e01f7cf6486da405

SHA256
4d4f9862a8443627f8de4e0b542d423712826ff8ff159856b7f98ebb92fad556

SHA512
ee0773d3b1dd10d78d75f69c6577e621f041f74174024f9cdcb3c05e147f2541632b17c844206b7188df97d1f72f931d503ea58026c44a6e9a99995d76a61e54

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
26ee384192208ead68cd999b48cef0d3

SHA1
ae1b66a08e89bf249f3a3d1214798316852d65c6

SHA256
70f08c7b69f70d31387670a7f70374f53958f7d02a2e9b49ce8538d835abe32c

SHA512
1df3768fcc1006d7587e79101cfe65ff4ce1b2b653c6f19a1e9c7c66efbe64018d7637f6099655695e8960641497227aece2c93615afd6212b1e8a3e0f86dacf

Download Submit
memory/1284-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3048-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3048-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3420-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3420-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3420-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3444-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3444-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3464-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3464-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3664-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3664-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3664-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3664-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4944-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4944-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4944-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4944-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4944-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4944-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4944-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download