neconyd | 706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fc

Analysis

max time kernel
115s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
Size

96KB
MD5

42937ce35b7658b053cf8734ece52ff0
SHA1

f888c23184de6dbcc4bbbf0e34c2b1fbc2262668
SHA256

706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fc
SHA512

6f2961584d83f371124b5983645d8fe5eeb148e3c5170c5f8506ed3b2fc28522f9ef5bbccb5274405b56d8cbf69d94ca75c05bebe9f0947d01ce04caf9e2b577
SSDEEP

1536:lnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:lGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
5064	omsecor.exe
4224	omsecor.exe
3836	omsecor.exe
2020	omsecor.exe
2688	omsecor.exe
2488	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3964 set thread context of 2500	3964	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	83
PID 5064 set thread context of 4224	5064	omsecor.exe	87
PID 3836 set thread context of 2020	3836	omsecor.exe	109
PID 2688 set thread context of 2488	2688	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2132	3964	WerFault.exe	82
3520	5064	WerFault.exe	86
5020	3836	WerFault.exe	108
5100	2688	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 2500	3964	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	83
PID 3964 wrote to memory of 2500	3964	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	83
PID 3964 wrote to memory of 2500	3964	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	83
PID 3964 wrote to memory of 2500	3964	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	83
PID 3964 wrote to memory of 2500	3964	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	83
PID 2500 wrote to memory of 5064	2500	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	86
PID 2500 wrote to memory of 5064	2500	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	86
PID 2500 wrote to memory of 5064	2500	706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe	86
PID 5064 wrote to memory of 4224	5064	omsecor.exe	87
PID 5064 wrote to memory of 4224	5064	omsecor.exe	87
PID 5064 wrote to memory of 4224	5064	omsecor.exe	87
PID 5064 wrote to memory of 4224	5064	omsecor.exe	87
PID 5064 wrote to memory of 4224	5064	omsecor.exe	87
PID 4224 wrote to memory of 3836	4224	omsecor.exe	108
PID 4224 wrote to memory of 3836	4224	omsecor.exe	108
PID 4224 wrote to memory of 3836	4224	omsecor.exe	108
PID 3836 wrote to memory of 2020	3836	omsecor.exe	109
PID 3836 wrote to memory of 2020	3836	omsecor.exe	109
PID 3836 wrote to memory of 2020	3836	omsecor.exe	109
PID 3836 wrote to memory of 2020	3836	omsecor.exe	109
PID 3836 wrote to memory of 2020	3836	omsecor.exe	109
PID 2020 wrote to memory of 2688	2020	omsecor.exe	111
PID 2020 wrote to memory of 2688	2020	omsecor.exe	111
PID 2020 wrote to memory of 2688	2020	omsecor.exe	111
PID 2688 wrote to memory of 2488	2688	omsecor.exe	113
PID 2688 wrote to memory of 2488	2688	omsecor.exe	113
PID 2688 wrote to memory of 2488	2688	omsecor.exe	113
PID 2688 wrote to memory of 2488	2688	omsecor.exe	113
PID 2688 wrote to memory of 2488	2688	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
"C:\Users\Admin\AppData\Local\Temp\706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
  C:\Users\Admin\AppData\Local\Temp\706a452aa5efc63d4c65d4d4755675e3b92efd34f1eb6b236237e81846fa72fcN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 256
        8⤵
        Program crash
        
        PID:5100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 296
        6⤵
        Program crash
        
        PID:5020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 288
      4⤵
      Program crash
      PID:3520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 272
  2⤵
  - Program crash
  PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3964 -ip 3964
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5064 -ip 5064
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3836 -ip 3836
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2688 -ip 2688
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
01540c75caf37226a9207f3aa3b6683c

SHA1
03dbd6aeb6768a13082290ff1b6eec78a360e7a7

SHA256
8331a0a031d974518135e87a8077ddf5e266786689b47e91a6f975857afd8358

SHA512
96b8bcf299e4f47a641737b454930aa3548a072bb80d044364d01485ec2a0f15b3db04403dc08df2f9f8fc42483edf4ae8f9a44964ed3c52a5821bdf053b5c8f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
986a59838d47d05a8160bd5d20c0face

SHA1
6c39124faa0976d3d14a693969a3b7aed0200797

SHA256
3caf7ef23c111c5f912e151c60bd1620d465efd535c7a7e8fe15c2b7446cd5ce

SHA512
83a5458aa74c0ba7b506cacee0b066aaf9d3fe3feb702e5791de6e1f62669843199fa74657fec189f653d7734af874266ba29fd835395072812d812a58259bdb

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
49c4141542603f442dea15c8a277f487

SHA1
d6f99e659da8cdc9017f80066789cfaced433515

SHA256
d916ae5f1ee6f58f01a7b89d98c10a8169b48308773e15bd6bf501f48a5bc396

SHA512
2b15c1c752466595a4e2258f096c2fa73a792f956d60b4c336c93a7167f9c861485a224db18c6369da3ed6ef9cd9899141e5802dfa3f98bd879f23b728ebabd7

Download Submit
memory/2020-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2488-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2488-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2488-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2688-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3836-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3836-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3964-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3964-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4224-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5064-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download