neconyd | 037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfd

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
Size

96KB
MD5

86185d1a81bf1ac265a5f0097c854dc0
SHA1

32a3b8cdc7d43e2f9c0be87601f4a328500306e8
SHA256

037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfd
SHA512

ada2a2bb5fcc99929428eb2e221a7b2a76ee6939419beae237e1f40ce33e6bfe36d4e2bd5178d2bd722d28a03b21b3d652a711c6e381ac7f2c1fcb0d93dc8c4d
SSDEEP

1536:PnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:PGs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4860	omsecor.exe
920	omsecor.exe
892	omsecor.exe
1952	omsecor.exe
3268	omsecor.exe
1784	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5008 set thread context of 4948	5008	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	82
PID 4860 set thread context of 920	4860	omsecor.exe	86
PID 892 set thread context of 1952	892	omsecor.exe	100
PID 3268 set thread context of 1784	3268	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3164	4860	WerFault.exe	84
2604	5008	WerFault.exe	81
4468	892	WerFault.exe	99
3832	3268	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4948	5008	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	82
PID 5008 wrote to memory of 4948	5008	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	82
PID 5008 wrote to memory of 4948	5008	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	82
PID 5008 wrote to memory of 4948	5008	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	82
PID 5008 wrote to memory of 4948	5008	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	82
PID 4948 wrote to memory of 4860	4948	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	84
PID 4948 wrote to memory of 4860	4948	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	84
PID 4948 wrote to memory of 4860	4948	037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe	84
PID 4860 wrote to memory of 920	4860	omsecor.exe	86
PID 4860 wrote to memory of 920	4860	omsecor.exe	86
PID 4860 wrote to memory of 920	4860	omsecor.exe	86
PID 4860 wrote to memory of 920	4860	omsecor.exe	86
PID 4860 wrote to memory of 920	4860	omsecor.exe	86
PID 920 wrote to memory of 892	920	omsecor.exe	99
PID 920 wrote to memory of 892	920	omsecor.exe	99
PID 920 wrote to memory of 892	920	omsecor.exe	99
PID 892 wrote to memory of 1952	892	omsecor.exe	100
PID 892 wrote to memory of 1952	892	omsecor.exe	100
PID 892 wrote to memory of 1952	892	omsecor.exe	100
PID 892 wrote to memory of 1952	892	omsecor.exe	100
PID 892 wrote to memory of 1952	892	omsecor.exe	100
PID 1952 wrote to memory of 3268	1952	omsecor.exe	102
PID 1952 wrote to memory of 3268	1952	omsecor.exe	102
PID 1952 wrote to memory of 3268	1952	omsecor.exe	102
PID 3268 wrote to memory of 1784	3268	omsecor.exe	104
PID 3268 wrote to memory of 1784	3268	omsecor.exe	104
PID 3268 wrote to memory of 1784	3268	omsecor.exe	104
PID 3268 wrote to memory of 1784	3268	omsecor.exe	104
PID 3268 wrote to memory of 1784	3268	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
"C:\Users\Admin\AppData\Local\Temp\037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
  C:\Users\Admin\AppData\Local\Temp\037d92ee0de7f8a39b5598edb1a79607ddcf2a2971adeeab2ce664dbe7902cfdN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:892
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 252
        8⤵
        Program crash
        
        PID:3832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 292
        6⤵
        Program crash
        
        PID:4468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 288
      4⤵
      Program crash
      PID:3164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 300
  2⤵
  - Program crash
  PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5008 -ip 5008
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4860 -ip 4860
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 892 -ip 892
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3268 -ip 3268
1⤵
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a0324e64420b5ba4d2eceb88eea1cf12

SHA1
f0051b96f436f85712ecd721b87c9ac2e018f0db

SHA256
c93338e3fce3ea939582233765ceb44fadd0056b14390f60baad68f9113fda18

SHA512
77617a3fec3fc6e9897b9d4b12f5a8a2a101dcc10f966f8aee3620ea52539861cd9bf11c753fc3430e21239106f4172685743fbc7393506cf1c145d3123544f7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
27bdd883cbea25fe3a08881d72240ead

SHA1
27605193ed187590aab2407b3904206cbe8b30c3

SHA256
0f46ac0278d11b609d5ae80b2d29cd03f11bc5e0c24d1635ac1426abcbe78d17

SHA512
601482696f7f49e175e187f54e912450534b73cd045790d458c3adad7c2c76c65b5ae5bc2f3c6d508e67c07c5599fc5b3ea6e831ae3d81f09f167a51c5c1ee81

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c9c23f2137befb3f32d11dffb8ba0f38

SHA1
2d845e764816407d65bbbf15899b0d2425adc869

SHA256
2158f677abcd828d1be9ea988ec08047856b4cd4c0e9fd64fd5dbd87415a8f25

SHA512
467bb0e1fc3b06a87787dd6f79faea655b7519c21123473b69aa76737dfd0ab46a8d93a35aeb1a51713d8c6449a898208ad2922f6d6496fd7af521658732d1b0

Download Submit
memory/892-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/892-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/920-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/920-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/920-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/920-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/920-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/920-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/920-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1952-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1952-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1952-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3268-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3268-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4860-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4860-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4948-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4948-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4948-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4948-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5008-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5008-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download