neconyd | 29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
Size

96KB
MD5

686314d255c8dc7433a5589a68e2118f
SHA1

3bd6ad33bb317458e972e942e122a534b5dc2f8f
SHA256

29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc
SHA512

99a26a74d6e01acc6693298e1241ec5681bfb4b24797e76202bcac7db757f7e741b1bf4344aa7a75c9944d52d251db8e72c11711769e75f0035f6cc8ae36da48
SSDEEP

1536:0nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:0Gs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1636	omsecor.exe
888	omsecor.exe
3272	omsecor.exe
4436	omsecor.exe
4052	omsecor.exe
1392	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 1004	1524	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	83
PID 1636 set thread context of 888	1636	omsecor.exe	87
PID 3272 set thread context of 4436	3272	omsecor.exe	105
PID 4052 set thread context of 1392	4052	omsecor.exe	108

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3972	1524	WerFault.exe	82
3180	1636	WerFault.exe	86
4456	3272	WerFault.exe	104
1628	4052	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1004	1524	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	83
PID 1524 wrote to memory of 1004	1524	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	83
PID 1524 wrote to memory of 1004	1524	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	83
PID 1524 wrote to memory of 1004	1524	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	83
PID 1524 wrote to memory of 1004	1524	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	83
PID 1004 wrote to memory of 1636	1004	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	86
PID 1004 wrote to memory of 1636	1004	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	86
PID 1004 wrote to memory of 1636	1004	29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe	86
PID 1636 wrote to memory of 888	1636	omsecor.exe	87
PID 1636 wrote to memory of 888	1636	omsecor.exe	87
PID 1636 wrote to memory of 888	1636	omsecor.exe	87
PID 1636 wrote to memory of 888	1636	omsecor.exe	87
PID 1636 wrote to memory of 888	1636	omsecor.exe	87
PID 888 wrote to memory of 3272	888	omsecor.exe	104
PID 888 wrote to memory of 3272	888	omsecor.exe	104
PID 888 wrote to memory of 3272	888	omsecor.exe	104
PID 3272 wrote to memory of 4436	3272	omsecor.exe	105
PID 3272 wrote to memory of 4436	3272	omsecor.exe	105
PID 3272 wrote to memory of 4436	3272	omsecor.exe	105
PID 3272 wrote to memory of 4436	3272	omsecor.exe	105
PID 3272 wrote to memory of 4436	3272	omsecor.exe	105
PID 4436 wrote to memory of 4052	4436	omsecor.exe	107
PID 4436 wrote to memory of 4052	4436	omsecor.exe	107
PID 4436 wrote to memory of 4052	4436	omsecor.exe	107
PID 4052 wrote to memory of 1392	4052	omsecor.exe	108
PID 4052 wrote to memory of 1392	4052	omsecor.exe	108
PID 4052 wrote to memory of 1392	4052	omsecor.exe	108
PID 4052 wrote to memory of 1392	4052	omsecor.exe	108
PID 4052 wrote to memory of 1392	4052	omsecor.exe	108

C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
"C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
  C:\Users\Admin\AppData\Local\Temp\29cd64a5caea5ff774591db67870db2ad216f1ffd84e438d571d4b744f4c67fc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3272
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 256
        8⤵
        Program crash
        
        PID:1628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 292
        6⤵
        Program crash
        
        PID:4456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 288
      4⤵
      Program crash
      PID:3180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 288
  2⤵
  - Program crash
  PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1524 -ip 1524
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1636 -ip 1636
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3272 -ip 3272
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4052 -ip 4052
1⤵
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c133718f5887eb66b9440a6747f2fe36

SHA1
16f651de5950ab8ec69021b05fff6a98c737a28a

SHA256
0e0404cdc5f38028d9458c866b87166d41e121bd25ea4c5c26b8bda4b910b7e7

SHA512
058f922dcb7b81f478bed79aa154c002633714dfb6f630363c82585306639331582a1fe3e667efb0304302183427640be461e5217c62c5b427aedcdb4ff01351

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
29b1b355833da1b72a5b3feed6b5e592

SHA1
e17a9b47aa5f75964084cd12a014779c141c8e28

SHA256
02adf171a2181bcfbc1c428b3e30c76df58bcc6aa674348236bd2f3408a07d25

SHA512
80071b57966561419d8ec9091d0eb44a4cd5f811796a274944c0f0580731f1523d1d2e2602b8522d30f3c10bd16e8852e3c3016821eae8da58f1b2b47f1ec3e0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
db5290ba2009f80df7bcbb05a74c37aa

SHA1
a676ade7ee963323b8185c8210285a5d6ed92fcd

SHA256
cfd1e1ce7d183f76b3023549d6a004db54781fdd01666aa9e30c160ef8be380f

SHA512
4f307c158b9fe3a8b77ff331a490e693721e8f7e0369ea74a749a1a56a01ed2a5b85a8d3678cfa51ae25a57450177216a933fe3f881d4f2b2662895a8d64514f

Download Submit
memory/888-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/888-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/888-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/888-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/888-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/888-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/888-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1392-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1392-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1392-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1524-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1636-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1636-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3272-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3272-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4052-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4436-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4436-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4436-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download