neconyd | ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
Size

134KB
MD5

50efc66dc1e46205b6a07abe4a22b288
SHA1

34c834ade74b4c8608411fff6238343e9b42e832
SHA256

ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7
SHA512

30e1cc6e1801de6545a4b3c1bb7291d93dc19063ad86ac951a5735754226ac70a1115a643604cbff1e282738f80712afd258540fa2fdd9026b5d45b51f9d3eb4
SSDEEP

1536:HDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiF:jiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3032	omsecor.exe
452	omsecor.exe
608	omsecor.exe
228	omsecor.exe
1672	omsecor.exe
4352	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3560 set thread context of 640	3560	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	82
PID 3032 set thread context of 452	3032	omsecor.exe	86
PID 608 set thread context of 228	608	omsecor.exe	100
PID 1672 set thread context of 4352	1672	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4584	3560	WerFault.exe	81
2008	3032	WerFault.exe	84
3168	608	WerFault.exe	99
4160	1672	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 640	3560	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	82
PID 3560 wrote to memory of 640	3560	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	82
PID 3560 wrote to memory of 640	3560	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	82
PID 3560 wrote to memory of 640	3560	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	82
PID 3560 wrote to memory of 640	3560	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	82
PID 640 wrote to memory of 3032	640	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	84
PID 640 wrote to memory of 3032	640	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	84
PID 640 wrote to memory of 3032	640	ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe	84
PID 3032 wrote to memory of 452	3032	omsecor.exe	86
PID 3032 wrote to memory of 452	3032	omsecor.exe	86
PID 3032 wrote to memory of 452	3032	omsecor.exe	86
PID 3032 wrote to memory of 452	3032	omsecor.exe	86
PID 3032 wrote to memory of 452	3032	omsecor.exe	86
PID 452 wrote to memory of 608	452	omsecor.exe	99
PID 452 wrote to memory of 608	452	omsecor.exe	99
PID 452 wrote to memory of 608	452	omsecor.exe	99
PID 608 wrote to memory of 228	608	omsecor.exe	100
PID 608 wrote to memory of 228	608	omsecor.exe	100
PID 608 wrote to memory of 228	608	omsecor.exe	100
PID 608 wrote to memory of 228	608	omsecor.exe	100
PID 608 wrote to memory of 228	608	omsecor.exe	100
PID 228 wrote to memory of 1672	228	omsecor.exe	102
PID 228 wrote to memory of 1672	228	omsecor.exe	102
PID 228 wrote to memory of 1672	228	omsecor.exe	102
PID 1672 wrote to memory of 4352	1672	omsecor.exe	103
PID 1672 wrote to memory of 4352	1672	omsecor.exe	103
PID 1672 wrote to memory of 4352	1672	omsecor.exe	103
PID 1672 wrote to memory of 4352	1672	omsecor.exe	103
PID 1672 wrote to memory of 4352	1672	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
"C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
  C:\Users\Admin\AppData\Local\Temp\ba5d3d842567b568f81a124c04265ae9d2ab2f6af74a6ca32736dd2d476f16d7.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:608
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 256
        8⤵
        Program crash
        
        PID:4160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 292
        6⤵
        Program crash
        
        PID:3168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 300
      4⤵
      Program crash
      PID:2008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 300
  2⤵
  - Program crash
  PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3560 -ip 3560
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3032 -ip 3032
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 608 -ip 608
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1672 -ip 1672
1⤵
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
42663dee8beb398c94d003b622ba7319

SHA1
c13355ac57d2490af25c11cf307c7ccac42cb756

SHA256
515a2089f89a27368002fd957b4acbe6140b8268029f2a643aa88f964d70f2f2

SHA512
7efc61c38c738dae301f003e1303884d0bc7eabbda874b3710e6d0fd60a9f6f5aeb70e50ade24bb812484555ee0fd2af58b1715e8747997dc38d607d4f37620a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
949e4e80a44bd6e5c00199acb81fce42

SHA1
ee52fbd0ca86ab888e58c7c82ef600b4e5ae8622

SHA256
b65db116db21735859d9f8f9b686c9ba57c1b8774d4553d34af5bc4923c31c9d

SHA512
4e0577888ffa1f91c90ae7089afc371731012c42b0970010f50673a741c118e59d66f1169f2e98a7da26840e814edbd50afbf305487483ed6c4368008104d022

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
e7d9b095a543451126a8d8cb0b20934c

SHA1
eed43f3212d87a94da4e8c34dbe2121f577fd886

SHA256
8c6e695aae8208619d1c9ab1593ecaf7619cf291c02c5ab894ec81c480da5002

SHA512
d0587123ef3b727a41469ab2cbfe4300d736971808a76ebb356e901f32a77c6370b8c2a6a6455f4614bcb3cec1f2688900a8cda219c5f1e8f2ae95ca25456aeb

Download Submit
memory/228-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/228-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/228-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/452-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/452-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/452-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/452-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/452-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/452-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/452-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/608-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/608-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/640-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/640-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/640-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/640-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1672-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3032-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3032-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3560-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3560-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4352-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4352-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4352-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4352-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download