neconyd | dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe
Size

96KB
MD5

168cc088b9275fac6fa9e812180340a6
SHA1

9a820b3ed0f490524a68062586c28a427886c5e0
SHA256

dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2
SHA512

9b2ba200bac64e4d80c1de7b8ca42102acae3fc80bc486283316d9c5c6e2b2ee5220e08065ed0acaaac38d9aa555c67846ab480d6bef2bf502200cb1f74de62b
SSDEEP

1536:anAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:aGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3088	omsecor.exe
3476	omsecor.exe
4452	omsecor.exe
4208	omsecor.exe
672	omsecor.exe
428	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3928 set thread context of 2200	3928	dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe	82
PID 3088 set thread context of 3476	3088	omsecor.exe	87
PID 4452 set thread context of 4208	4452	omsecor.exe	100
PID 672 set thread context of 428	672	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1780	3928	WerFault.exe	81
3412	3088	WerFault.exe	84
2868	4452	WerFault.exe	99
2060	672	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 2200	3928	dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe	82
PID 3928 wrote to memory of 2200	3928	dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe	82
PID 3928 wrote to memory of 2200	3928	dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe	82
PID 3928 wrote to memory of 2200	3928	dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe	82
PID 3928 wrote to memory of 2200	3928	dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe	82
PID 2200 wrote to memory of 3088	2200	dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe	84
PID 2200 wrote to memory of 3088	2200	dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe	84
PID 2200 wrote to memory of 3088	2200	dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe	84
PID 3088 wrote to memory of 3476	3088	omsecor.exe	87
PID 3088 wrote to memory of 3476	3088	omsecor.exe	87
PID 3088 wrote to memory of 3476	3088	omsecor.exe	87
PID 3088 wrote to memory of 3476	3088	omsecor.exe	87
PID 3088 wrote to memory of 3476	3088	omsecor.exe	87
PID 3476 wrote to memory of 4452	3476	omsecor.exe	99
PID 3476 wrote to memory of 4452	3476	omsecor.exe	99
PID 3476 wrote to memory of 4452	3476	omsecor.exe	99
PID 4452 wrote to memory of 4208	4452	omsecor.exe	100
PID 4452 wrote to memory of 4208	4452	omsecor.exe	100
PID 4452 wrote to memory of 4208	4452	omsecor.exe	100
PID 4452 wrote to memory of 4208	4452	omsecor.exe	100
PID 4452 wrote to memory of 4208	4452	omsecor.exe	100
PID 4208 wrote to memory of 672	4208	omsecor.exe	102
PID 4208 wrote to memory of 672	4208	omsecor.exe	102
PID 4208 wrote to memory of 672	4208	omsecor.exe	102
PID 672 wrote to memory of 428	672	omsecor.exe	104
PID 672 wrote to memory of 428	672	omsecor.exe	104
PID 672 wrote to memory of 428	672	omsecor.exe	104
PID 672 wrote to memory of 428	672	omsecor.exe	104
PID 672 wrote to memory of 428	672	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe
"C:\Users\Admin\AppData\Local\Temp\dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Local\Temp\dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe
  C:\Users\Admin\AppData\Local\Temp\dd80e6636cb15c19b702230f488dfca96f1d63ca7a171124de70f607d11a00f2.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3476
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 240
        8⤵
        Program crash
        
        PID:2060
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 292
        6⤵
        Program crash
        
        PID:2868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 292
      4⤵
      Program crash
      PID:3412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 300
  2⤵
  - Program crash
  PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3928 -ip 3928
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3088 -ip 3088
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4452 -ip 4452
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 672 -ip 672
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e277aff43a19132fa89c2f398408088d

SHA1
54eba2c504bbafdfb529f3b76be845ff79924d9e

SHA256
2dbfb42166871295d213f139b75362e5f102732158a97c19071d90bec3f7f328

SHA512
13df7cc647b4643f1cf7b7b332ae874ec92d0b63b47c98ec45747c107159c24b33b81c7bf86716c0eb9a913c33a24231399146322522c8fbded224f947c0e538

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0a341dfc21966f2a7ffb09aa55e26334

SHA1
716ee97783219b260bfc6a111fcda44e71e19288

SHA256
f468aa938a63a3bd5fbcb50baf588a9c2b0f29c558c61115f83ffd7f607c639d

SHA512
4ee2fc871762eb73036395e53c8a4e1a442a51e957008c77647ebe1ff0fa366dca08aec51a5d474aab930379a69b87c1f2e20162aadf9053cbfcd5a5392495dd

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f500b9b5a8890a323e27dc98b915f670

SHA1
949547229699e77ae75550018e159e6903aa7f5e

SHA256
bdb60aba3d656f66033f69215870ecfd208f77b6ee066d085ce32854c6d5aa87

SHA512
c179a75536720fa9d9bc7f43f3b5a826912de7e74102076ad1e46787fb1f92f6812a921db19e8da586532421c0d8c5d137f112f03aa0d14a932a0442049958c1

Download Submit
memory/428-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/428-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/428-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/428-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/672-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2200-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2200-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2200-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2200-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3088-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3088-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3476-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3928-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3928-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4208-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4208-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4208-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4452-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4452-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download