neconyd | 779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
Size

96KB
MD5

44e119256f80dc9a7d0e8c9a68a6f1f0
SHA1

6547b47e6252fca2e7fec300aa36a9cd654a89d2
SHA256

779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4
SHA512

16e872ba70f05d1d81c632b722326063b713a943cabb22bec50914fdfb46a2d7f85bde1ff781b38dc0777076c9d4ecfbce6605dc5f6ce7b808dd164e499f6b54
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:OGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
636	omsecor.exe
4012	omsecor.exe
464	omsecor.exe
1732	omsecor.exe
4456	omsecor.exe
4604	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1356 set thread context of 3392	1356	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	83
PID 636 set thread context of 4012	636	omsecor.exe	87
PID 464 set thread context of 1732	464	omsecor.exe	108
PID 4456 set thread context of 4604	4456	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3512	1356	WerFault.exe	82
2252	636	WerFault.exe	85
2096	464	WerFault.exe	107
3952	4456	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 3392	1356	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	83
PID 1356 wrote to memory of 3392	1356	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	83
PID 1356 wrote to memory of 3392	1356	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	83
PID 1356 wrote to memory of 3392	1356	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	83
PID 1356 wrote to memory of 3392	1356	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	83
PID 3392 wrote to memory of 636	3392	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	85
PID 3392 wrote to memory of 636	3392	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	85
PID 3392 wrote to memory of 636	3392	779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe	85
PID 636 wrote to memory of 4012	636	omsecor.exe	87
PID 636 wrote to memory of 4012	636	omsecor.exe	87
PID 636 wrote to memory of 4012	636	omsecor.exe	87
PID 636 wrote to memory of 4012	636	omsecor.exe	87
PID 636 wrote to memory of 4012	636	omsecor.exe	87
PID 4012 wrote to memory of 464	4012	omsecor.exe	107
PID 4012 wrote to memory of 464	4012	omsecor.exe	107
PID 4012 wrote to memory of 464	4012	omsecor.exe	107
PID 464 wrote to memory of 1732	464	omsecor.exe	108
PID 464 wrote to memory of 1732	464	omsecor.exe	108
PID 464 wrote to memory of 1732	464	omsecor.exe	108
PID 464 wrote to memory of 1732	464	omsecor.exe	108
PID 464 wrote to memory of 1732	464	omsecor.exe	108
PID 1732 wrote to memory of 4456	1732	omsecor.exe	110
PID 1732 wrote to memory of 4456	1732	omsecor.exe	110
PID 1732 wrote to memory of 4456	1732	omsecor.exe	110
PID 4456 wrote to memory of 4604	4456	omsecor.exe	112
PID 4456 wrote to memory of 4604	4456	omsecor.exe	112
PID 4456 wrote to memory of 4604	4456	omsecor.exe	112
PID 4456 wrote to memory of 4604	4456	omsecor.exe	112
PID 4456 wrote to memory of 4604	4456	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
"C:\Users\Admin\AppData\Local\Temp\779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
  C:\Users\Admin\AppData\Local\Temp\779a2a6d6661f4041fd3125ba627955c96cff9fb0929632bc7e4fe960336b8c4N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 256
        8⤵
        Program crash
        
        PID:3952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 292
        6⤵
        Program crash
        
        PID:2096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 288
      4⤵
      Program crash
      PID:2252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 292
  2⤵
  - Program crash
  PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1356 -ip 1356
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 636 -ip 636
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 464 -ip 464
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4456 -ip 4456
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ea8973913d4d32a170fec84aebdd3e3e

SHA1
dfa8885d231689a62a2bbccddf7360544cd7c88a

SHA256
e42ef45b85c7d39af8e2ddcbcf126912567488b687b3de38c44d1dd11370fa9f

SHA512
844bf42fde21b6f74016ceda8cc172b384ca231de5c0ff9f6e8aae2dcc8f9d4aeba0a3c66d41cacf8e4d182766ecf322c0716fd66d4565ca1c6ec6490e34c6c8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
298b12735d9c3e76745889a6a1e3b2a3

SHA1
313f9cecdac5d349a34d00f6e7a7155eac0f7c10

SHA256
95d5e74a97d7087bca7ed2d320128122ea1eeb624983039c335427e73d5b4eb5

SHA512
50fe0f82da9d1e4f23dba35388f36dd8e6180f820b3aa747fafedad246688a362ba2104538c1dd216260d44833dcfb8c9f554de7860222a8c80f98a097bfad00

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e5c4d944e9defa82f1f5d9743c7df80c

SHA1
634053ae8d8ddda894ac5e355eeab5ff07d0efd9

SHA256
a7c6e016719592ffbf3ed6de05d0f2f60046c189aa2ad0c710e2f046c5d55e25

SHA512
62c4156d127589edad72f19d500ebbb067c52583c28e79638caafb3ce276b41c44f7b5554524f8e70460a047fd116ff77ce1c1a0061c3eb1505b338b458c863c

Download Submit
memory/464-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/464-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/636-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1356-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1356-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1732-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4012-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4012-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4012-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4012-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4012-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4012-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4012-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4456-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4604-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4604-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4604-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download