neconyd | 7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2024, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe
Size

96KB
MD5

1432a77502a82562f42531e215616b94
SHA1

6d18ec0ae18f84e782e65d537c1846969271a08c
SHA256

7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84
SHA512

cb5acfca96a9fbbb8575f21aefd74bfb9722140d95b12bf17c52dab8f8c60c4545c82c80fc4292544a6f1dd254f9b11c4ef57a7cc00f884da956108d61a68738
SSDEEP

1536:gnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:gGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3344	omsecor.exe
4212	omsecor.exe
2364	omsecor.exe
3652	omsecor.exe
452	omsecor.exe
4848	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4396 set thread context of 3584	4396	7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe	83
PID 3344 set thread context of 4212	3344	omsecor.exe	87
PID 2364 set thread context of 3652	2364	omsecor.exe	108
PID 452 set thread context of 4848	452	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3252	4396	WerFault.exe	82
1972	3344	WerFault.exe	85
3804	2364	WerFault.exe	107
4352	452	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 3584	4396	7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe	83
PID 4396 wrote to memory of 3584	4396	7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe	83
PID 4396 wrote to memory of 3584	4396	7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe	83
PID 4396 wrote to memory of 3584	4396	7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe	83
PID 4396 wrote to memory of 3584	4396	7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe	83
PID 3584 wrote to memory of 3344	3584	7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe	85
PID 3584 wrote to memory of 3344	3584	7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe	85
PID 3584 wrote to memory of 3344	3584	7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe	85
PID 3344 wrote to memory of 4212	3344	omsecor.exe	87
PID 3344 wrote to memory of 4212	3344	omsecor.exe	87
PID 3344 wrote to memory of 4212	3344	omsecor.exe	87
PID 3344 wrote to memory of 4212	3344	omsecor.exe	87
PID 3344 wrote to memory of 4212	3344	omsecor.exe	87
PID 4212 wrote to memory of 2364	4212	omsecor.exe	107
PID 4212 wrote to memory of 2364	4212	omsecor.exe	107
PID 4212 wrote to memory of 2364	4212	omsecor.exe	107
PID 2364 wrote to memory of 3652	2364	omsecor.exe	108
PID 2364 wrote to memory of 3652	2364	omsecor.exe	108
PID 2364 wrote to memory of 3652	2364	omsecor.exe	108
PID 2364 wrote to memory of 3652	2364	omsecor.exe	108
PID 2364 wrote to memory of 3652	2364	omsecor.exe	108
PID 3652 wrote to memory of 452	3652	omsecor.exe	110
PID 3652 wrote to memory of 452	3652	omsecor.exe	110
PID 3652 wrote to memory of 452	3652	omsecor.exe	110
PID 452 wrote to memory of 4848	452	omsecor.exe	112
PID 452 wrote to memory of 4848	452	omsecor.exe	112
PID 452 wrote to memory of 4848	452	omsecor.exe	112
PID 452 wrote to memory of 4848	452	omsecor.exe	112
PID 452 wrote to memory of 4848	452	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe
"C:\Users\Admin\AppData\Local\Temp\7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe
  C:\Users\Admin\AppData\Local\Temp\7b18b0c800fa6563dead80123877ec493ad78a300f8737dab9530b7160c9dd84.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 256
        8⤵
        Program crash
        
        PID:4352
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 292
        6⤵
        Program crash
        
        PID:3804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 300
      4⤵
      Program crash
      PID:1972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 300
  2⤵
  - Program crash
  PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4396 -ip 4396
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3344 -ip 3344
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2364 -ip 2364
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 452 -ip 452
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e636be491c63f98b528f60136e389097

SHA1
7a6636c72610ecbe2892d491cecb201e9e1d9f36

SHA256
28e984387385b1107371c8e07ee5a67bd937d30dcb7ab94e7b923a287440b04e

SHA512
2934a461c75aac9cea9dbb2e223bb41e13a4d4a1b15d7d31dee0734feb569e24a0f2a3de7bf031d40d1f2ffd08126acb91394803f83f656a407b97513dc94504

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
fb71b0d2f1179e3dbd9f372576672515

SHA1
fa06e17dae57b5b3d2d874bae18f2bbbe45d6447

SHA256
747acff1eef8bc3eeac596f188b105f304b3bfea359dae550f00e91a49a723db

SHA512
b7765d36eaa8f8c4e36ad449b41e2ca84803edeb97f9d1f8928e8dbd664d00a34aec855b225bf6010557689748ecaf82068d895f7bc5d25640c74a0e335ecb6d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e66fd7fd77e8c5e960d786e2a91b6582

SHA1
e507d91697367a7bf6f1ecbcbfb14f7f5c6c546b

SHA256
20be2457f719f414d19bf7d5d164a87415f30484c4fee9af733a90745d57dd31

SHA512
4448a88e5e237da232e754b2442ea785a56f7b772c22147e4c108bb035a5c8bd806774576f9a0ddef06a21dd0f3420789b6d31941f816fe21414756b4e2d59bb

Download Submit
memory/452-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/452-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2364-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2364-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3344-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3344-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3584-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3584-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3584-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3584-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3652-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3652-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3652-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4212-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4212-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4212-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4212-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4212-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4212-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4212-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4396-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4848-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4848-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4848-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4848-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download