neconyd | 29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
Size

96KB
MD5

686314d255c8dc7433a5589a68e2118f
SHA1

3bd6ad33bb317458e972e942e122a534b5dc2f8f
SHA256

29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc
SHA512

99a26a74d6e01acc6693298e1241ec5681bfb4b24797e76202bcac7db757f7e741b1bf4344aa7a75c9944d52d251db8e72c11711769e75f0035f6cc8ae36da48
SSDEEP

1536:0nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:0Gs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2656	omsecor.exe
2552	omsecor.exe
2804	omsecor.exe
720	omsecor.exe
3572	omsecor.exe
1228	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1552 set thread context of 4896	1552	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	84
PID 2656 set thread context of 2552	2656	omsecor.exe	88
PID 2804 set thread context of 720	2804	omsecor.exe	112
PID 3572 set thread context of 1228	3572	omsecor.exe	116

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1352	1552	WerFault.exe	83
1304	2656	WerFault.exe	86
3420	2804	WerFault.exe	111
2856	3572	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 4896	1552	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	84
PID 1552 wrote to memory of 4896	1552	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	84
PID 1552 wrote to memory of 4896	1552	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	84
PID 1552 wrote to memory of 4896	1552	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	84
PID 1552 wrote to memory of 4896	1552	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	84
PID 4896 wrote to memory of 2656	4896	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	86
PID 4896 wrote to memory of 2656	4896	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	86
PID 4896 wrote to memory of 2656	4896	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	86
PID 2656 wrote to memory of 2552	2656	omsecor.exe	88
PID 2656 wrote to memory of 2552	2656	omsecor.exe	88
PID 2656 wrote to memory of 2552	2656	omsecor.exe	88
PID 2656 wrote to memory of 2552	2656	omsecor.exe	88
PID 2656 wrote to memory of 2552	2656	omsecor.exe	88
PID 2552 wrote to memory of 2804	2552	omsecor.exe	111
PID 2552 wrote to memory of 2804	2552	omsecor.exe	111
PID 2552 wrote to memory of 2804	2552	omsecor.exe	111
PID 2804 wrote to memory of 720	2804	omsecor.exe	112
PID 2804 wrote to memory of 720	2804	omsecor.exe	112
PID 2804 wrote to memory of 720	2804	omsecor.exe	112
PID 2804 wrote to memory of 720	2804	omsecor.exe	112
PID 2804 wrote to memory of 720	2804	omsecor.exe	112
PID 720 wrote to memory of 3572	720	omsecor.exe	114
PID 720 wrote to memory of 3572	720	omsecor.exe	114
PID 720 wrote to memory of 3572	720	omsecor.exe	114
PID 3572 wrote to memory of 1228	3572	omsecor.exe	116
PID 3572 wrote to memory of 1228	3572	omsecor.exe	116
PID 3572 wrote to memory of 1228	3572	omsecor.exe	116
PID 3572 wrote to memory of 1228	3572	omsecor.exe	116
PID 3572 wrote to memory of 1228	3572	omsecor.exe	116

C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
"C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
  C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 244
        8⤵
        Program crash
        
        PID:2856
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 292
        6⤵
        Program crash
        
        PID:3420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 296
      4⤵
      Program crash
      PID:1304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 256
  2⤵
  - Program crash
  PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1552 -ip 1552
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2656 -ip 2656
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2804 -ip 2804
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3572 -ip 3572
1⤵
PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
92e1b05557b574089f4349c031adf5ee

SHA1
ffd03f6c80f88e98b4bdaa956a1309bcda3e7682

SHA256
c8edf82e43163a754a929b6153d82d27a3ed1b3aa73c4e87ba961121d5cdd816

SHA512
310a294e5a22356f0aa538c4eb1885f8dc7fa131a236bb9d9196ad480b3bb66a94ad8364a875cf19588b4b462c4f150a61fb2cd2da1c4b4ed42c6a4fb5133cac

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
29b1b355833da1b72a5b3feed6b5e592

SHA1
e17a9b47aa5f75964084cd12a014779c141c8e28

SHA256
02adf171a2181bcfbc1c428b3e30c76df58bcc6aa674348236bd2f3408a07d25

SHA512
80071b57966561419d8ec9091d0eb44a4cd5f811796a274944c0f0580731f1523d1d2e2602b8522d30f3c10bd16e8852e3c3016821eae8da58f1b2b47f1ec3e0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d23f1716f0af9cdf90ccfc4ea1fa5f2f

SHA1
0686a3e7162d29c615d0315d50c7e6b46cc09319

SHA256
f1cbe33b210883699ccbe62f6dda3f7aaea8cb671766ba3ed114ac7165830917

SHA512
ebef811e5b47df209b90a285960f160280ce96d1f05301d781e70bcd392983f5ddaf2cc39cda1608d469a3f92118e3af99d6f6195e0a665a7a4899823994852d

Download Submit
memory/720-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/720-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/720-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1228-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1228-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1228-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1228-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1552-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1552-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2552-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2656-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2656-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2804-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2804-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3572-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4896-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4896-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4896-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4896-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download