neconyd | 1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71edd

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe
Size

96KB
MD5

09c1343f5c6569a94a353a4110630790
SHA1

9ad610d1456dbe6ec9376b3a2d305320a8442c36
SHA256

1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71edd
SHA512

6e821bc53128b120cba4d84f3e69f08ac8235f1974aff0f06390f237ecc2e0c0295ff569ca1984d14e5cf5cb218e050619e26f17ee00c9e4d0208f89eb05937a
SSDEEP

1536:0nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:0Gs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1972	omsecor.exe
5112	omsecor.exe
744	omsecor.exe
2908	omsecor.exe
4796	omsecor.exe
4748	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1792 set thread context of 4716	1792	1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe	83
PID 1972 set thread context of 5112	1972	omsecor.exe	88
PID 744 set thread context of 2908	744	omsecor.exe	109
PID 4796 set thread context of 4748	4796	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2788	1792	WerFault.exe	82
632	1972	WerFault.exe	86
2788	744	WerFault.exe	108
1988	4796	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 4716	1792	1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe	83
PID 1792 wrote to memory of 4716	1792	1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe	83
PID 1792 wrote to memory of 4716	1792	1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe	83
PID 1792 wrote to memory of 4716	1792	1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe	83
PID 1792 wrote to memory of 4716	1792	1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe	83
PID 4716 wrote to memory of 1972	4716	1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe	86
PID 4716 wrote to memory of 1972	4716	1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe	86
PID 4716 wrote to memory of 1972	4716	1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe	86
PID 1972 wrote to memory of 5112	1972	omsecor.exe	88
PID 1972 wrote to memory of 5112	1972	omsecor.exe	88
PID 1972 wrote to memory of 5112	1972	omsecor.exe	88
PID 1972 wrote to memory of 5112	1972	omsecor.exe	88
PID 1972 wrote to memory of 5112	1972	omsecor.exe	88
PID 5112 wrote to memory of 744	5112	omsecor.exe	108
PID 5112 wrote to memory of 744	5112	omsecor.exe	108
PID 5112 wrote to memory of 744	5112	omsecor.exe	108
PID 744 wrote to memory of 2908	744	omsecor.exe	109
PID 744 wrote to memory of 2908	744	omsecor.exe	109
PID 744 wrote to memory of 2908	744	omsecor.exe	109
PID 744 wrote to memory of 2908	744	omsecor.exe	109
PID 744 wrote to memory of 2908	744	omsecor.exe	109
PID 2908 wrote to memory of 4796	2908	omsecor.exe	111
PID 2908 wrote to memory of 4796	2908	omsecor.exe	111
PID 2908 wrote to memory of 4796	2908	omsecor.exe	111
PID 4796 wrote to memory of 4748	4796	omsecor.exe	113
PID 4796 wrote to memory of 4748	4796	omsecor.exe	113
PID 4796 wrote to memory of 4748	4796	omsecor.exe	113
PID 4796 wrote to memory of 4748	4796	omsecor.exe	113
PID 4796 wrote to memory of 4748	4796	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe
"C:\Users\Admin\AppData\Local\Temp\1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe
  C:\Users\Admin\AppData\Local\Temp\1cf886aef903639e3fa24ae8eea7e89658d3b0f81d64a8fb5cd405dccbf71eddN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:744
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 256
        8⤵
        Program crash
        
        PID:1988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 296
        6⤵
        Program crash
        
        PID:2788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 300
      4⤵
      Program crash
      PID:632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 288
  2⤵
  - Program crash
  PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1792 -ip 1792
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1972 -ip 1972
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 744 -ip 744
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4796 -ip 4796
1⤵
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
90ecfe1500b49e32834e99223d4bb107

SHA1
26ce8b63cd6757c8df85e123ed5d5f7bdca1560a

SHA256
1f545b2a44070dba3992c9176ba5be57349370d51bf90fd5a111cdc45db5e9b1

SHA512
ec8d3fb46513c3399fc13a57b263a8ea38de38a5bc97019dbf4bb11bc97a86f0c50625978cc97e722e3aa67fbd7f1f06fc15ab958af03c0ff54ca2967cb3eee8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
723a90486314895b0ea77f077b4a5d2b

SHA1
4edee1f9850415b5779373a9b070a4d7ea7f7b16

SHA256
ac6f3604483de234cd9bbd31daeab1c25ab80261b25764173024906a820a72fc

SHA512
d1a1290973a81237f9f3e1c498e01e08c4d226f45db4d7da2e094154e3ce81d015a35fac09b628aae093af4f968e3f55c8b68d11c61775843f9c4e08f8024261

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
b867fd981ccc53b6044c409276517ddb

SHA1
a9485642c2c645e1d15c470bde86283bbede1299

SHA256
b43dd1ee9eee81da53681e97046dd54fa9c73e0ebf3db337bfe31320eb014954

SHA512
e1e77cd8b82470d1640a5c9fbdf3936b9560678c948a100ddcf581aa9160e5126199d63f14c86f6531a251746f03e1555a470ea42dbf99376e1f1637edaefe22

Download Submit
memory/744-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/744-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1792-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1792-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1972-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1972-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2908-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2908-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2908-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4716-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4716-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4716-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4716-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4748-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4748-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4748-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4796-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5112-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5112-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5112-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5112-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5112-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5112-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5112-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download