neconyd | 18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0e

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
Size

96KB
MD5

097d8bd0729b57c4ea0f55dcc49efd60
SHA1

e9e045e19973d2938f79f144f6217f24083b3629
SHA256

18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0e
SHA512

2d2a45aedacd47b11755500a1a1ef230063c98b32144a59f032901fa2336a802469bbf2b38a3c8262426515933eb98d97e6acfbb665ddde01b6edb364b45e6f5
SSDEEP

1536:AnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:AGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2928	omsecor.exe
2576	omsecor.exe
864	omsecor.exe
4912	omsecor.exe
3508	omsecor.exe
556	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 628	852	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	83
PID 2928 set thread context of 2576	2928	omsecor.exe	87
PID 864 set thread context of 4912	864	omsecor.exe	109
PID 3508 set thread context of 556	3508	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4452	852	WerFault.exe	82
3580	2928	WerFault.exe	86
1352	864	WerFault.exe	108
3780	3508	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 628	852	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	83
PID 852 wrote to memory of 628	852	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	83
PID 852 wrote to memory of 628	852	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	83
PID 852 wrote to memory of 628	852	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	83
PID 852 wrote to memory of 628	852	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	83
PID 628 wrote to memory of 2928	628	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	86
PID 628 wrote to memory of 2928	628	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	86
PID 628 wrote to memory of 2928	628	18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe	86
PID 2928 wrote to memory of 2576	2928	omsecor.exe	87
PID 2928 wrote to memory of 2576	2928	omsecor.exe	87
PID 2928 wrote to memory of 2576	2928	omsecor.exe	87
PID 2928 wrote to memory of 2576	2928	omsecor.exe	87
PID 2928 wrote to memory of 2576	2928	omsecor.exe	87
PID 2576 wrote to memory of 864	2576	omsecor.exe	108
PID 2576 wrote to memory of 864	2576	omsecor.exe	108
PID 2576 wrote to memory of 864	2576	omsecor.exe	108
PID 864 wrote to memory of 4912	864	omsecor.exe	109
PID 864 wrote to memory of 4912	864	omsecor.exe	109
PID 864 wrote to memory of 4912	864	omsecor.exe	109
PID 864 wrote to memory of 4912	864	omsecor.exe	109
PID 864 wrote to memory of 4912	864	omsecor.exe	109
PID 4912 wrote to memory of 3508	4912	omsecor.exe	111
PID 4912 wrote to memory of 3508	4912	omsecor.exe	111
PID 4912 wrote to memory of 3508	4912	omsecor.exe	111
PID 3508 wrote to memory of 556	3508	omsecor.exe	113
PID 3508 wrote to memory of 556	3508	omsecor.exe	113
PID 3508 wrote to memory of 556	3508	omsecor.exe	113
PID 3508 wrote to memory of 556	3508	omsecor.exe	113
PID 3508 wrote to memory of 556	3508	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
"C:\Users\Admin\AppData\Local\Temp\18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
  C:\Users\Admin\AppData\Local\Temp\18ff163678f8e2d56287ff44a44c54cd5f06e6aa6276ed534a09681fd2214d0eN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 268
        8⤵
        Program crash
        
        PID:3780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 292
        6⤵
        Program crash
        
        PID:1352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 300
      4⤵
      Program crash
      PID:3580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 288
  2⤵
  - Program crash
  PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 852 -ip 852
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2928 -ip 2928
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 864 -ip 864
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3508 -ip 3508
1⤵
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
838e33b1845403bd237dd95bd06a1101

SHA1
4994a64a8c9d507b4b6584831739ea325884024c

SHA256
7882a079c256c367702e21bd689c5cb92451cbca7b00367c63099bab1ce03580

SHA512
e7e10656fa7bd16989810b7715b2fb228f23d63b041cce67852350b535361ca5c52534616ff2675da691ea8a5dda7fe6a3c95a0dd91776f4709fa7cac1256d5a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
6fffd9aa3760c5035bd091852bbad5de

SHA1
5154c2f18f2be302ed96b2e3a770cc7ec4b2fb5d

SHA256
f805d930a2da175d65e3b850a37e77a8b867f366ef8821c621ccc3ed779537dd

SHA512
e4bda74cee3071f32f20876a39ce5634c2edee7913dbb5495bc0d0f5d100822d0cd65547503a85558e60ab6d5f49d1ac72bc46686b1c191cf19dea0841a47c4a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
199a901b6bf85c0ed58022ac0609e3d8

SHA1
775edfc0dbec3cf755a33883f4f957c4698b0ca8

SHA256
c34a0f7d0ecbbe19ad22070a01f88eb5c75084b4dff40bc8c78550d661c92baf

SHA512
4647bbbad9b331ad9f5585b6bdbe2289b823852c84bb43c4ecffd3708e7bf66fd79cfd731e257bfe07a56951a50689aa4a3dd30446946ca1864ec92a1e9cc2d0

Download Submit
memory/556-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/556-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/556-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/852-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/852-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/864-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/864-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2576-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2576-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2576-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2576-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2576-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2576-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2576-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2928-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3508-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4912-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4912-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4912-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download