neconyd | 17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
Size

96KB
MD5

32686f40eab1e6acfa80d4445faef879
SHA1

87c90e4237a46b7fece4b1a1f53213d2b337e0d3
SHA256

17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90
SHA512

2dfee0aa179135e42a7bfc61a69adef1ccaa08ee6f5210f4b5691fff377ac9ea015d1377f576b1034777d78a013ef51457ffdaddc4b5854b7764882d562bdf36
SSDEEP

1536:BnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:BGs8cd8eXlYairZYqMddH13R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3612	omsecor.exe
4780	omsecor.exe
4816	omsecor.exe
616	omsecor.exe
4536	omsecor.exe
3464	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 5024	956	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	83
PID 3612 set thread context of 4780	3612	omsecor.exe	87
PID 4816 set thread context of 616	4816	omsecor.exe	109
PID 4536 set thread context of 3464	4536	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
772	3612	WerFault.exe	85
3048	956	WerFault.exe	82
1800	4816	WerFault.exe	108
392	4536	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 5024	956	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	83
PID 956 wrote to memory of 5024	956	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	83
PID 956 wrote to memory of 5024	956	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	83
PID 956 wrote to memory of 5024	956	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	83
PID 956 wrote to memory of 5024	956	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	83
PID 5024 wrote to memory of 3612	5024	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	85
PID 5024 wrote to memory of 3612	5024	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	85
PID 5024 wrote to memory of 3612	5024	17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe	85
PID 3612 wrote to memory of 4780	3612	omsecor.exe	87
PID 3612 wrote to memory of 4780	3612	omsecor.exe	87
PID 3612 wrote to memory of 4780	3612	omsecor.exe	87
PID 3612 wrote to memory of 4780	3612	omsecor.exe	87
PID 3612 wrote to memory of 4780	3612	omsecor.exe	87
PID 4780 wrote to memory of 4816	4780	omsecor.exe	108
PID 4780 wrote to memory of 4816	4780	omsecor.exe	108
PID 4780 wrote to memory of 4816	4780	omsecor.exe	108
PID 4816 wrote to memory of 616	4816	omsecor.exe	109
PID 4816 wrote to memory of 616	4816	omsecor.exe	109
PID 4816 wrote to memory of 616	4816	omsecor.exe	109
PID 4816 wrote to memory of 616	4816	omsecor.exe	109
PID 4816 wrote to memory of 616	4816	omsecor.exe	109
PID 616 wrote to memory of 4536	616	omsecor.exe	111
PID 616 wrote to memory of 4536	616	omsecor.exe	111
PID 616 wrote to memory of 4536	616	omsecor.exe	111
PID 4536 wrote to memory of 3464	4536	omsecor.exe	113
PID 4536 wrote to memory of 3464	4536	omsecor.exe	113
PID 4536 wrote to memory of 3464	4536	omsecor.exe	113
PID 4536 wrote to memory of 3464	4536	omsecor.exe	113
PID 4536 wrote to memory of 3464	4536	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
"C:\Users\Admin\AppData\Local\Temp\17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
  C:\Users\Admin\AppData\Local\Temp\17b4c42e925447da9056b400b15ff246e0a736295dcda1eef2145981cd51ce90.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 256
        8⤵
        Program crash
        
        PID:392
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 292
        6⤵
        Program crash
        
        PID:1800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 296
      4⤵
      Program crash
      PID:772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 280
  2⤵
  - Program crash
  PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 956 -ip 956
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3612 -ip 3612
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4816 -ip 4816
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4536 -ip 4536
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9873188b44d38ddbf723bb7886c4c0b2

SHA1
54457c4f40849dcc9c6cdf141ab3e1496f5d48da

SHA256
aa9f3e36c2f1294dc7003cdfc7be57f38047560fada5fe5b54bae7f96581a0ff

SHA512
2f9a778342571d571c8a75755fae28f1e0e27a70d50fe2027d1e64bca36b312c1c39cc9aca8471867f33d2bafae238da3c536dd815445bbc652f23468b6f97ce

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0d7cf5c4f57f7c89e4598eeeaeb9b573

SHA1
e7db55333f52ad6275a7bf3e3d9cc34c8decb10f

SHA256
a983ce7722bb3f6cd161418a02bc3c4bbf982abec3041d133b17d8e770c605fe

SHA512
e30eeae08c91cab9f3fa80e7c46a63f6f525cfb56bc930b96f8aa5836f9d313899a5ccae4f9cd7f3d95d056f55a2e2d6bf0d76ea35fe8ef10f624fedc2f6fd07

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
912d0d2affe3743a272907c0e2ddc9a5

SHA1
283eff502bcb769a61375bf8d0634ccecfd60d8f

SHA256
d9834176b138fac0be2f89bc82ceb769f693aac72359f12b1c9b5564758ca2a4

SHA512
bfdab7697c2b307d259b2beca1d86145d79e3d9f8eaa76cfa4546aa77ff3752877e0cccd94a28f85cd61637e659ff98ff60a72878b994ceb4c2615de01571b5a

Download Submit
memory/616-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/616-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/616-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/956-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/956-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3464-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3464-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3464-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3464-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3612-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3612-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4536-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4780-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4780-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4780-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4780-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4780-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4780-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4780-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4816-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4816-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5024-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5024-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5024-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5024-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download