neconyd | 65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe
Size

134KB
MD5

966c07af2755cb188d97e669d7e2e6cc
SHA1

7be05fde06fe976cf751ba097ca9e0b8d9c5ff39
SHA256

65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34
SHA512

c82052e82903e9a23d14762d4f0779955d639aa513567080aeda335a4b68af737428e5082efc561950826a82e745bc7bd35dfddf531ac0b89e39ba2f764d193b
SSDEEP

1536:BDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiP:hiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1836	omsecor.exe
3556	omsecor.exe
4136	omsecor.exe
636	omsecor.exe
212	omsecor.exe
4436	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3724 set thread context of 3732	3724	65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe	85
PID 1836 set thread context of 3556	1836	omsecor.exe	89
PID 4136 set thread context of 636	4136	omsecor.exe	112
PID 212 set thread context of 4436	212	omsecor.exe	116

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2040	1836	WerFault.exe	87
2592	3724	WerFault.exe	84
4484	212	WerFault.exe	114
1356	4136	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 3732	3724	65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe	85
PID 3724 wrote to memory of 3732	3724	65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe	85
PID 3724 wrote to memory of 3732	3724	65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe	85
PID 3724 wrote to memory of 3732	3724	65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe	85
PID 3724 wrote to memory of 3732	3724	65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe	85
PID 3732 wrote to memory of 1836	3732	65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe	87
PID 3732 wrote to memory of 1836	3732	65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe	87
PID 3732 wrote to memory of 1836	3732	65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe	87
PID 1836 wrote to memory of 3556	1836	omsecor.exe	89
PID 1836 wrote to memory of 3556	1836	omsecor.exe	89
PID 1836 wrote to memory of 3556	1836	omsecor.exe	89
PID 1836 wrote to memory of 3556	1836	omsecor.exe	89
PID 1836 wrote to memory of 3556	1836	omsecor.exe	89
PID 3556 wrote to memory of 4136	3556	omsecor.exe	111
PID 3556 wrote to memory of 4136	3556	omsecor.exe	111
PID 3556 wrote to memory of 4136	3556	omsecor.exe	111
PID 4136 wrote to memory of 636	4136	omsecor.exe	112
PID 4136 wrote to memory of 636	4136	omsecor.exe	112
PID 4136 wrote to memory of 636	4136	omsecor.exe	112
PID 4136 wrote to memory of 636	4136	omsecor.exe	112
PID 4136 wrote to memory of 636	4136	omsecor.exe	112
PID 636 wrote to memory of 212	636	omsecor.exe	114
PID 636 wrote to memory of 212	636	omsecor.exe	114
PID 636 wrote to memory of 212	636	omsecor.exe	114
PID 212 wrote to memory of 4436	212	omsecor.exe	116
PID 212 wrote to memory of 4436	212	omsecor.exe	116
PID 212 wrote to memory of 4436	212	omsecor.exe	116
PID 212 wrote to memory of 4436	212	omsecor.exe	116
PID 212 wrote to memory of 4436	212	omsecor.exe	116

C:\Users\Admin\AppData\Local\Temp\65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe
"C:\Users\Admin\AppData\Local\Temp\65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Users\Admin\AppData\Local\Temp\65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe
  C:\Users\Admin\AppData\Local\Temp\65c01cf7fad189150b07d0446868b805f03fbb4af10bc393f02afe03a3e7bf34.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4136
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 264
        8⤵
        Program crash
        
        PID:4484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 292
        6⤵
        Program crash
        
        PID:1356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 304
      4⤵
      Program crash
      PID:2040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 288
  2⤵
  - Program crash
  PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3724 -ip 3724
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1836 -ip 1836
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4136 -ip 4136
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 212 -ip 212
1⤵
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9a2462a1571e65bad99e20ef6bc0cebc

SHA1
e7ae0b3d45880695204e4aa292d03f25d122ea39

SHA256
3ff97e1f9b29a94419bf56e39cc900d292214dc8ae9bceb867ac6a33d29cd3b5

SHA512
16c980d04afe90a0ef37812849241d04b3230a47b6981186e17c65483db6d296ba27a55ac695357a76a34473afe72fb925a0c3a79df3cf920a2cae5aaca064ec

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
73c08faca0ce496a75b754d4ff56a979

SHA1
47cf25fcfc0e8c9246fdde4d14a0c9dfa2ebf65a

SHA256
ee7d4d891290d4d7ab3e06dc9cce308a5f1a45cca1c46a0d46be42d349f1fb94

SHA512
15c333bc8586ac5478dd50d44259579a52d8670a66bb2c9e364e585b4db5bddf9833757fcbd7c17a55f6b84b0c9af907d524d376ce70dbda1e291d37aea55b95

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
0adeea52216d6420c2f2a9f2a60061a8

SHA1
a92cab16ee66e4afac003326b2e95ee1aa693f46

SHA256
64879707b80a9181043065aa7cad1125cc2dbe57460853dc30956155f4a78ad2

SHA512
42e7a13c1ca9781274276ac110cbf0ac1c3abf9dd5702cbaa3001ecb6793812b20961f753ec3775ca12b7ee880940d489abf9329403b34bc8241a349fc1176c2

Download Submit
memory/212-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/636-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/636-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/636-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1836-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1836-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3556-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3556-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3556-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3556-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3556-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3556-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3556-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3724-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3724-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3732-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3732-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3732-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3732-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4136-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4136-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4436-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4436-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4436-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download